Categories

Authentication

The Bonsai API supports two methods of authenticating requests: HTTP Basic Auth, and HMAC.
Last updated
June 16, 2023

Alpha Stage

The Bonsai API is currently in its Alpha release phase. It may not be feature-complete, and is subject to change without notice. If you have any questions about the roadmap of the API, please reach out to support.

The Bonsai API supports two methods of authenticating requests: HTTP Basic Auth, and HMAC. The former is a widely-adopted standard supported by most HTTP clients, but requires an encrypted connection for safe transmission. The latter is an older and slight more complicated method, but offers some security over unencrypted connections.

Which Scheme Should I Use?

If you’re connecting to the API via https (as most people are), then Basic Auth is fine. The header containing the credentials is encrypted using industry-standard protocols before being sent over the Internet. TLS allows you to authenticate the receiving party(the API) using a trusted certificate authority, rendering MITM attacks highly unlikely. Basic Auth is not secure over unencrupted connections, however. Your credentials could be leaked and read by a third party.

If you can’t use https for some reason, then consider using HMAC. This protocol involves passing along some special headers with your API requests, with the expectation that a 3rd party can access the transmission. It’s slightly more complicated to configure, but it involves a private key-signed time-based nonce, mitigating against MITM and replay attacks. A third party could see the data you send/receive with the API, but would not be able to steal your API credentials and interact with the API on your behalf.

Failed Authentication

Requests that do not have the proper authentication will receive an HTTP 401: Not Authorized response. This can happen for a variety of reasons, including(but not limited too):

  1. The token itself has been revoked
  2. The token key can not be found(perhaps due to a typo)
  3. The token secret does not match the secret provided
  4. One or more HTTP headers have been miscalculated
  5. (When using HMAC) the X-BonsaiApi-Time timestamp deviates more than 60 seconds from the server time
  6. Some other filtering rule has been violated

If you are having trouble authenticating your requests to the API, please reach out to support@bonsai.io.

View code snippet
Close code snippet