Skip to content

Authentication

Robbie 3rd-party API's use an authentication and authorization scheme that involves a RFC7235 API Key Authorization header.

To ensure the whole security in the process, the API consumer must ask for and get provided with:

  • [API-KEY]: A Client secret.

The [API-KEY] must be provided by Robbie AI Inc. on the registration phase. [API-KEY] must be kept secret. In case [API-KEY] is tampered, it can be revoked and renew, as if more [API-KEY] are desired, writing to support@robbie.ai.

Info

Note that registration is not public. For more information, contact sales & support.

Danger

Robbie API's V1 security framework is meant for backend-to-backend transport, using it in browsers directly is insecure and not supported. Do not share the API_KEY but for own well known servers, do not store it in a cookie, in browsers Session/Local/SQL storage engines, nor in a frontend Javascript variable. If you need to do so, please create your own backend endpoint, and use API_KEY securely within the backend from a known secrets source.

For checking if your token is correct, call the check endpoint:

  • Path: /v1/check/
  • Method: GET
  • Headers:
    • Authorization
  • Content Type: application/json
1
2
3
API_KEY=7dae9cfd1b40454dad3cdf15b073370fcfa7f09a97c743e081459ad28b1e18df
http https://rw-identity.robbieapis.com/v1/check/ \
    "Authorization: ApiKey-v1 ${API_KEY}" 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
import requests
API_KEY="7dae9cfd1b40454dad3cdf15b073370fcfa7f09a97c743e081459ad28b1e18df"
response = requests.get(
    "https://rw-identity.robbieapis.com/v1/check/",
    headers={
        "Authorization": "ApiKey-v1 {}".format(API_KEY),
        "Content-Type": "application/json"
    },
)
assert response.status_code == 200
print("{}".format(response.get_json()))

Note

The API_KEY provided is not functional.

Expected Response

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Alt-Svc: clear
Content-Length: 47
Content-Security-Policy: default-src 'self'
Content-Type: application/json
Date: Mon, 24 Jun 2019 17:35:07 GMT
Referrer-Policy: strict-origin-when-cross-origin
Server: gunicorn/19.9.0
Strict-Transport-Security: max-age=31556926; includeSubDomains
Via: 1.1 google
X-Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
{
    "status": "Welcome to Robbie Identities API!"
}
1
{"status": "Welcome to Robbie Identities API!"}

Warning

For v1 version the Authorization header prefix ApiKey-v1 must be as is, case sensitive, and [API-KEY] plain text.

Warning

Unauthorized requests will receive an RFC 7231 HTTP 403 Forbidden with no more headers or actions to perform, instead of an HTTP 401 Unauthorized with an associated WWW-Authenticate. Please in cause of issues, ask for troubleshooting support at support@robbie.ai.