Third Party API AccessΒΆ

Controlling access to your API is vital to ensure a high quality, secure platform for your customers and partners. Fortunately your Approov protection can easily be extended to include 3rd party apps too.

This section assumes you are already familiar with basic Approov usage as described in the rest of the documentation.

The basic deployment scenario is where a single organization controls both the backend API and the mobile client apps. The integration flow in this case is simple once you have received the tokens for your Approov account:

  • Backend API team integrate Approov token verification with the secret obtained from the Admin portal.
  • Mobile client app developers integrate the Approov SDK downloaded from the Admin Portal.
  • Mobile client app developers register the completed app with Approov using the Registration Tools and Registration Token

When dealing with 3rd parties the mobile client app developers are outside of you organization so must be supplied with the necessary tools by you. Specifically you must send them:

  • An Approov SDK from your account
  • The Registration Tools
  • A Registration Token - You should not give 3rd parties your Registration Token, contact support for extra Registration Tokens

In addition to Approov specific information we recommend that you also implement a traditional static API Key scheme (if you do not have one in place already) in order to easily identify which 3rd party software is accessing your API in a particular transaction. Since the app is now protected with Approov, static API keys can be safely used for identification purposes.

In the most basic 3rd party scenario, 3rd party developers would write their app and integrate Approov in much the same way as if they owned the API. They would then register the app with Approov using the Registration Token provided by the owner. When the app attests it will get a token from your Approov account, signed with your secret. In the case where you have implemented API keys they would also send this to your API. To simplify integration for third parties you may choose to wrap the Approov SDK with your own SDK. This means that the only Approov related action a 3rd party would need to take is app registration.

Third Party API Access

Another common scenario when dealing with 3rd party developers is where API calls are proxied from a Customer App through a 3rd party Backend to your services. It is important that you can still verify that the request originated from a registered app. The 3rd party should be instructed to also pass the Approov token through from their app with the request. Again, the 3rd party must integrate an Approov library into their app and register the app with Approov.

Third Party API Access

Typically in this scenario the 3rd party back end would be using a secret server - server API key to identify itself so there is no need to embed an identifier for your service in the customer app.