Advisors Assistant Data API

Security

There are many different aspects to interacting with this API in a secure manner, among them the transport-layer, authorization, signing, and encryption. Some of them are required and some are optional or configurable depending on the conditions under which calling applications will be using the API.

Sample applications are available that illustrate how to work the the API and satisfy these security concerns.

Transport Layer

This API only accepts HTTPS traffic in order to protect the data that resides within an Advisors Assistant database while it is in transit between the calling application's computer and the API server and back again.

Authorization

All requests to this API requires a valid Access Token stored within a request header named "Authorization" with a value starting with the word "Bearer", then a space, then the authorization token, e.g. "Bearer a1b2c3d4e5f6g7".

These authorization tokens are issued by first calling the "Auth" method of the API. The required parameters are client ID, subscriber ID, user ID and password.

  • Client ID
    • (REQUIRED) Grants permission to the partner application to access the Advisors Assistant Data API. Please contact Advisors Assistant for a new Client ID.
  • Subscriber ID
    • (REQUIRED) Specifies that the partner application can work with a particular subscriber database on the server.
  • User ID
    • (REQUIRED) The user ID that the partner application will impersonate. The API will return data based on the access right of this user.
  • Password
    • (REQUIRED) The password associated with the above user ID.

Signing

Depending on the nature of your implementation you may wish to have the added protection of digitally-signing the requests that are made of the API. Doing so will enable the API to check the request's signature and verify that the request has not been tampered with en route from the calling-computer to the API server. All responses from the server back to the caller are signed by the API allowing the caller to check the response's signature and verify that the response has not been tampered with en route from the API server to the calling-computer.

Signing can be done via an symmetric key (a share secret that both you and the API posses) or asymmetric keys (the public/private key pairs found in an X509 certificate).

Symmetric keys are issued to you when you go through the Getting Started process. HMAC SHA-256 is the cryptographic method used to create signatures using a symmetric key.

Certificates can be exchanged for asymmetric keys if desired. This is typically done in an enterprise-to-enterprise implementation of the API as it is more complicated and requires the use of an X509 Certificate. Note that the certificate need not be issued by a Certificate Authority (e.g. Verisign or GoDaddy).

Choosing an appropriate signing option depends on several factors that we can discuss with you.

Encryption

Encryption can be enabled to protect the content being posted to the API, the content being received from the API, or both. Encryption is accomplished via the Advanced Encryption Standard (AES) using a symmetric key (aka shared secret) that is issued by Advisors Assistant.