Authentication
All requests to the Slingshot API Server will contain the following custom HTTP headers:
| Header Name | Description |
|---|---|
| X-SS-APIKey | The API Key issued to the Slingshot developer from Raven. |
| X-SS-Signature | The signature generated for this request using the Shared Secret issued by Raven to the ISV. |
| X-SS-AccessKey | The Access Key issued to a Slingshot user from the Raven Slingshot Portal Server. |
| X-SS-TimeStamp | The Unix-Style timestamp of when the request was generated; the number of seconds elapsed from midnight on Jan 1, 1970. |
These header values, along with other key components of the request will be used to provide a signature that will verify the request. Details for generating this signature can be found later in this document.
All requests to the Slingshot API Server will be authenticated in 3 ways:
- The API Key will be verified against the Slingshot API database.
- The request will be validated via a HMAC SHA1 signature check of key components of the request to ensure that the request came from the owner of the API Key and that the request has not been tampered with.
- The request will have a valid lifetime of 120 seconds to prevent replay attacks.
If any of these checks fail, the Slingshot API server will respond with a 401 Unauthorized response. Details of what check failed may be returned in the body of the response.