Is there a way to verify the current user is authenticated with the Genesys Cloud through non spoofable API's?

triplegav · January 30, 2023, 5:16am

Hi

I am at the design phase of a new premium app. This integrated app will provide features to the Genesys Cloud customer that require API access of our own public API. As part of the registration process, I will utilize a static API key in order to create a customer account and user in our own platform. This user account will be used to allow API access.

I don't want to force the Genesys Cloud customer to have to login to our own application, so I need a way to bind the Genesys Cloud user with our own. What is the best way to authenticate that the current user is authenticated with your platform? I dont want to impersonate our user account without first knowing we are integrated into your cloud platform and authenticated.

My concerns is someone takes our iframe url and embeds this into their own site and spoofs the Cloud API's.

Thanks
Gavin

tim.smith · January 30, 2023, 2:18pm

Your app must implement one of the OAuth flows to get a token, then it can make authorized API requests using that token. To identify the user that authorized your application, make a request to GET /api/v2/users/me.

triplegav · January 31, 2023, 10:50pm

Thanks Tim, that was useful. So we'll implement Autorization Code grant so that the server can perform API requests on behalf of the user.

The /api/v2/tokens/me doesn't seem to be using arguments, do I assume is passing the access key via cookies?

Thanks

tim.smith · February 1, 2023, 2:28pm

See the section Use the access token for details on how to make requests once your app has been authorized: https://developer.genesys.cloud/authorization/platform-auth/use-authorization-code#use-the-access-token

system · March 3, 2023, 2:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.