Home
Guides
Start typing to search…

API Authentication

Khumbu ensures secure communication and data integrity between its API and integration partners through a robust authentication mechanism. This mechanism prevents unauthorized access, secures sensitive data, and guarantees that only verified partners can interact with the API. Below is an overview of the key elements of Khumbu's API authentication process:

1. API Key Authentication

  1. Overview: Each integration partner is issued a unique API key during the onboarding process. This key serves as a secure identifier to authenticate API requests.
  2. Usage: The API key must be included in the request header (e.g., x-api-key: {API_KEY}).
  3. Security Measures:
    1. API keys should be kept confidential and stored securely.
    2. Keys should not be hard-coded in the client application; instead, use environment variables or secure vaults.

2. OAuth 2.0 (Advanced Authentication)

For enhanced security and flexibility, Khumbu supports OAuth 2.0, a widely adopted authorization framework.

  1. How It Works:
    1. Integration partners are required to register their application and obtain client credentials (client ID and client secret). Khumbu support team can register and provide the credentials
    2. Partners authenticate using these credentials to receive an access token, which is included in API requests.
    3. Access tokens are short-lived and expire within a specified time interval.
  2. Grant Types Supported: Client Credentials Grant: Used for server-to-server communication.

3. Token-Based Authentication

  1. JWT (JSON Web Token):
    1. Khumbu APIs use JWT for stateless authentication.
    2. Tokens are signed and verified using a secure algorithm, ensuring data integrity and authenticity.
    3. Tokens include metadata like user roles, permissions, and expiration times.
  2. Token Expiry: Tokens have a defined lifespan to minimize security risks. Partners must handle token renewal proactively.

Security Best Practices for Integration Partners

  1. Protect Credentials:
    Keep API keys, tokens, and client secrets secure. Do not expose them in source code repositories or share them publicly.
  2. Use HTTPS:
    Always use HTTPS to encrypt data in transit.
  3. Rotate Keys Regularly:
    Update API keys and secrets periodically to mitigate risks.
  4. Monitor Activity:
    Track API usage to identify and respond to any suspicious activity.

Updated 6 months ago