User Authentication

In some integration scenarios when it is desired that the Application be integrated within an existing piece of software, it is necessary to authenticate a user without the user being required to perform a manual login, as the authentication is already handled through the parent software.

In this instance we can provide an alternative method of user login, whose authentication is based upon a key set up in advance and known only by the Administrators and Client.

Security

It is critical that the key is not shared, as the holder of the key can log in as any user in the configured space, skipping all authentication checks (IP restriction and disabled users are still verified).

Do not store the key or build the querystring in the client browser, as that would expose the key.

Your own authentication mechanism must be used to authenticate the user before creating the signature for Maxemail.


The QueryString

Having been given the key, the login is performed by calling the usual server URL, with a specific query string, containing these parameters:

Key

Type

Value

user

string

The user's email address.

ts

int

The current timestamp (see Unix Time), used to build the sig.

sig

string

The authentication signature.
Concatenate the keytimestamp and user, and then hash the result using MD5.

Example

Given the following variables:

  • key = VNu6634hB13R58
  • user = test@example.com
  • time = 1234567890

As the signature is the result of: md5(<key><timestamp><user>), the final query string added to your Maxemail URI would produce:

https://application.server.com/?user=test@example.com&ts=1234567890&sig=960a48698b986c9405e53437e658bfca