The SLASCONE API follows the OpenAPI (3.0) specification, is HTTPS only, built using REST principles, following all state of the art best practices for API security.
All SLASCONE functions are invokable through the API, allowing a seamless integration with other back-office systems such as CRM/ERP etc.
You can easily test the API using our official API Test Center.
In order to authenticate (regardless if you are testing the API using our Test Center or from your source code), you need to use an apiKey.
There are two apiKeys available (both can be found in the Info area of SLASCONE):
- The Provisioning apiKey (ProvisioningKey). This apiKey enables you to call all methods needed for licensing and analytics scenarios. In other words, this is the key to be embedded in your software. This key authorizes the following API controllers:
- The Administration apiKey (AdminKey). This apiKey enables you to call ALL SLASCONE methods. This is meant for testing or administration purposes only. It is not recommended embedding this key in your software.
SLASCONE uses the HMACSHA256 algorithm in order to simultaneously verify both the data integrity and the authenticity, of every API response. This process is described here.
You can easily generate clients in your programming language using the online swagger editor. Select file, import URL and type in:
Next select Generate client and choose the language of your choice. The end result is a zip file you can download with the generated client code.
Most API methods require all or some of the following parameters:
- isv_id: This can be found in the Info area of SLASCONE.
- product_id: This can be found in the Products area of SLASCONE. Select your product and click on the Copy Key icon.
- client_id: Each to be licensed client, needs to generate a unique device id.
- license_key: This is the license key generated from SLASCONE. It consists of n tokens. A license key can be used/activated n times.
- token_key: A license consists of n tokens. A token key can be used/activated only once (one client).
Your provisioning workflow (which means the API functions that need to be called) depends on your product's licensing mode.
HOW TO SECURELY SAVE IN YOUR CLIENT
It is paramount that secrets such as the ProvisioningKey or the EncryptionKey are securely saved within your application. Best practices concerning secret management vary depending on the operating system and/or programming language. However, some basic principles apply.Embedding secrets directly in the application's source code should be avoided at all costs.
USING ENVIRONMENT VARIABLES
The most common approach to keep secrets out of the source code is to use environment variables. This is a very simple approach that should work for most server-based applications, which means if you have only one physical installation of your application, managed by you. If your application is installed on your end-customer's premises (e.g., classical desktop apps), this approach is not recommended, since they are stored unencrypted, and thus their values can still be accessed if your system is seriously compromised.
USING AN ONLINE SECRET MANAGEMENT SOLUTION (RECOMMENDED)
WORKING WITH POSTMAN
We strongly recommend the usage of Postman, if available. You can easily start testing the API in Postman
using the following link (you can fork or copy the collection):
Make sure to edit your environment data (baseUrl, isvid etc.) as already explained in the first part of this article.
You are now able to run all relevant API requests such as activation:
The API methods might fail for a number of reasons. SLASCONE provides a comprehensive error handling framework.