Security considerations
Agent, customer, server and API calls must be authenticated with either a token or a token and a full signature, depending on your implementation to ensure that you are connected to an authorized user or server.
Important: Authentication tokens are valid for 5 minutes.
The Bold360 API only sends data to endpoints with proper SSL certificate configuration. To protect sensitive information, only HTTPS requests are accepted. The endpoint URL must be a fully qualified domain name (FQDN). IP addresses will not work.
Simple Authentication (Token Only)
Simple authentication is performed using an
authentication token parameter, which is the most
common authentication method. The token is a string in the following format:
[Account ID]:[API Setting ID]:[Timestamp]:[Hashed authentication code]- Account ID: Your Bold360 account ID
- API Settings ID: Generated when you create the API key
- API key: The
auto-generated API key for a specific API Settings ID.
Remember: Save this key when you create an API setting key. For security reasons, the key will be obfuscated once a new setting is created. See also Set up your account to work with the Bold360 API.
- Timestamp: The number of milliseconds since 1970-01-01 00:00:00 UTC (Unix epoch time)
- Hashed authentication code: SHA-512 hex-encoded hash of [Account ID]:[API Setting ID]:[Timestamp][API Key]
When you use the interactive page, the hashed auth parameter is automatically created for you.
Sample URL
https://api.boldchat.com/aid/123/data/rest/json/v1/UpdateChat?ChatID=5&auth=123%3A456%3A1234567890000%3AF160D6870926C259E7D4FEB7D201965E172808FC264CF7FB6E7E0D82529D9A51059F29E8EE6C100DC5F6420A5ABE6B5E231E3BB30FC26340CC1AD345DAC59620
| Parameter | Type | Required | Description |
|---|---|---|---|
| auth | string | yes | Authentication token |
Signed Authorization (Optional)
Signed authentication is performed using a hashless authentication token and a signed parameter.
Important: The
signed parameter should incorporate all signed
fields, including
signed and
auth, separated by a URL-encoded ampersand character
(%26).
The call string consists of the method name, followed by a question
mark, the URL-encoded key-value pairs, the authentication token and the secret
key. The SHA-512-encoded hash is used for the
signature.
Important: URL-encoded characters in the URL string
must be uppercase (for example
%3A for the colon character). Note that the C#
HttpUtility.UrlEncode method produces lowercase
characters.
Sample URL
https://api.boldchat.com/aid/123/data/rest/json/v1/UpdateChat?ChatID=5&auth=123%3A456%3A1234567890000&signed=signed%26auth%26ChatID&signature=FD846AE3587689E4EAC09F7F26B6D3E998548AC06107E00FBC9733F4077EB2319E2115538E815BEB7A08548A7F33C3DC158EB56273CC2C3D9BB474DD0AAA2689| Parameter | Type | Required | Description |
|---|---|---|---|
| auth | string | yes | Authentication token |
| signed | string | yes | URL-encoded, ampersand-separated list of signed parameters |
| signature | string | yes | SHA-512 hex-encoded hash of the signed data |
| unsigned | string | no | When present, parameters not included in either the signed or unsigned parameters are ignored |