Backend API Authentication and IP Whitelisting

IDWise supports secure backend-to-backend integrations through Basic Authentication. This guide provides details on how to set up authentication using a server key and secure it with IP whitelisting.

1. Authentication for Backend Integration

IDWise uses Basic Authentication to authenticate API requests for backend-to-backend communication. Basic Authentication is a simple and widely supported method for providing credentials to access resources.

How it works:

• In Basic Authentication, your credentials (username and password or API key) are encoded as a Base64 string and passed in the HTTP request header.
• For IDWise, this is done using a Server Key, which serves as your unique API key for authenticating requests between your backend system and IDWise's services.

Creating a Server Key

To integrate your backend system with IDWise using Basic Authentication, you must first create a Server Key. Follow these steps:

1. Access the Developer Admin Portal
   Log in to the IDWise Admin Portal and navigate to the API Keys section under the developer area.

2. Create a New API Key
   Click on the "Add a New Key" button to initiate the creation of a new client key.

3. 

   Select the Environment
   Choose the environment where the key will be used: either Sandboxfor testing or Production for live environments. Be sure to select the environment that aligns with your intended use case.

4. Provide a Descriptive Key Name
   Enter a meaningful and descriptive name for the key to help you easily identify it in the future.

5. Set the Key Type
   In the Key Type dropdown, select Server Key. This ensures the key is configured for Backend API calls.

6. Save and Secure the Key
   Once generated, immediately copy or download the key. Please note that for security reasons, the key will not be retrievable again after this step. Ensure it is securely stored for future use.

📘

Info

Treat the server key like a password. Do not expose it in your codebase or share it publicly.

2. Protecting the Server Key with IP Whitelisting

For enhanced security, IDWise supports IP Whitelisting. This allows you to restrict access to your API by allowing requests only from specific IP addresses.

What is IP Whitelisting?

IP Whitelisting restricts access to your backend API by permitting only specific IP addresses or ranges to communicate with IDWise’s API using your server key. Even if someone acquires your server key, they won’t be able to use it unless their request originates from an authorized IP address.

How to Configure IP Whitelisting

Follow these steps to configure IP whitelisting for your server key:

1. Log into the IDWise Dashboard: Navigate to the API Settings section where your server key is configured.
2. Access IP Whitelisting: Find the IP Whitelisting option in the API security settings.
3. Add Trusted IP Addresses:
   • In the IP Whitelisting section, you will be able to add specific IP addresses or IP ranges.
   • Enter the IP addresses or CIDR ranges (e.g., 192.168.1.1/24) that are allowed to access the API.
4. Save Changes: Once you've added all the trusted IP addresses, save the configuration. Only requests from these IP addresses will now be able to use your server key.

Example:

If your server is running on IP 203.0.113.4, you would add this IP to the whitelist. Any request to IDWise’s API made from an IP address other than 203.0.113.4 will be rejected, even if the server key is valid.

3. Important Security Considerations

• Rotate Server Keys: Periodically rotate your server keys to maintain security. This can be done by regenerating a new key from the IDWise dashboard and updating your backend system with the new key.
• Secure Key Storage: Store your server key in a secure environment, such as an environment variable or secret management system, to prevent unauthorized access.
• Configure IP Whitelisting: Restrict access to the IDWise API by configuring IP whitelisting, ensuring that only requests originating from your server’s trusted IP addresses are allowed to interact with the API.