Security

The security of data as it is transported in and out of the Gateway platform is paramount. Gateway takes a least privilege approach when authorising access to APIs.  All data is transport is over a TLS secure channel, and the OAuth2 protocol standard is used to authenticate access to the APIs.  The steps required to gain access to Gateway APIs is as follows:

  • Request a Gateway business two business (B2B) account via your account mangers

    You will be issued with a client ID and secret

    You will also be provided with the URLs required to access the service

  • Your account will be assigned access to the relevant APIs in accordance with your service agreement

  • Send an authentication request to the Gateway authentication service providing your client ID and secret.

  • A JSON web token (JWT) will be returned.

  • Make a POST request to the Gateway API providing the JWT in the HTTP request header

    Any request made without a valid JWT will return a HTTP 401 – unauthorized response

    Any request made to an API endpoint that had not been assigned to an account will return a HTTP 403 – forbidden response

    Any request made to a valid API endpoint that does not conform to the Gateway message structure will return a HTTP 400 - bad request response

    A valid request will return a HTTP 200 – successful acceptance response

Security diagram

Authentication

All third party applications will be granted a client id and secret to facilitate the use of authentication using the OAuth2 protocol.  The client id and secret will be provided to you upon integration signup.

All requests must authenticate via the Gateway Authentication Endpoint to obtain a JWT, which must be presented as an http request header in any request made to the API.

The following diagram describes this process.

Authorisation

The Gateway API supports multiple message types. Each client application will be authorised to call appropriate message types. 

Access to each message type is controlled through a role based security layer managed by Innovation Group. Calls to message types that are unauthorised will return a 401 response.