In some integration scenarios when it is desired that the Application be integrated within an existing piece of software, it is necessary to authenticate a user without the user being required to perform a manual login, as the authentication is already handled through the parent software.
In this instance we can provide an alternative method of user login, whose authentication is based upon a key set up in advance and known only by the Administrators and Client.
Security
It is critical that the key is not shared, as the holder of the key can log in as any user in the configured space, skipping all authentication checks (IP restriction and disabled users are still verified).
Do not store the key or build the querystring in the client browser, as that would expose the key.
Your own authentication mechanism must be used to authenticate the user before creating the signature for Maxemail.
The QueryString
Having been given the key, the login is performed by calling the usual server URL, with a specific query string, containing these parameters:
| Key | Type | Value |
|---|---|---|
| user | string | The user's email address. |
| ts | int | The current timestamp (see Unix Time ), used to build the sig. |
| sig | string | The authentication signature. Concatenate the key, timestamp and user, and then hash the result using MD5. |
Example
Given the following variables:
- key =
VNu6634hB13R58 - user =
[email protected] - time =
1234567890
As the signature is the result of: md5(<key><timestamp><user>), the final query string added to your Maxemail URI would produce:
https://mxm.xtremepush.com/[email protected]&ts=1234567890&sig=960a48698b986c9405e53437e658bfca