Skip to main content

Admin Authentication Flow

Admin Authentication Flow#

The Admin Authentication Flow is used for non-sensitive information. This flow is called the "Admin Authentication" because an administrator-level user authenticates the Ocelot API client to the Ocelot API.

The user must have appropriate permissions for creating and editing a service provider. The details for creating a service provider are found in the guide Adding A Service Provider and cover more than authentication data.

The provisioned authentication data for a service provider consists of two fields: a secret key and an API key. The authentication data is auto-generated by the Client Administrator. The administrative user must capture the provisioned authentication data immediately when it is auto-generated. The full authentication data will not be available in future viewings. It can be regenerated on-demand.

The secret key is used to sign the data payload sent in the requests to the Ocelot API, the responses from the Ocelot API, the webhook events from the Ocelot API, and the responses from the webhook event handlers. The Ocelot API will reject requests and handler responses that are not signed or have an invalid signature.

The API key is used when making requests to the Ocelot API. They are not needed on the responses from webhook event handlers.