Authentication is based on a pre-shared api key which is used to generate a one time hash. The hash is then passed along with any of the Noojee API calls as a security token which proves you are authorised to access the Noojee API by the fact that you know the pre-shared api key.
Making a call to one of the Noojee API's is therefor a three step process.
1) Obtain a timestamp
2) Create a hash of the pre-shared API Key and the timestamp
3) submit one of the API methods passing in the calculated hash to prove you have authority to access the Noojee API within 10 seconds.
Obtaining a timestamp
The timestamp must be retrieved from the Noojee Api.
NOTE: The Time call returns plain/text not json.
A timestamp and Hash combination is initially valid for 10 seconds, for this reason the timestamp used must be in sync with the PBX.
Once a timestamp and Hash combination has been used by calling any of the API methods it will remain valid for 1 hour.
TODO: elaborate what this actually implies: Authentication is limited to no more than 5 concurrent authentication attempts.
To obtain a time stamp you need to POST the following request.
https://127.0.0.1:8080/servicemanager/rest/Time
which returns a long time stamp
1392356108888
You can do a simple test using curl:
curl -i -X POST http://127.0.0.1/servicemanager/rest/Time
Hash the key and timestamp
Next you must hash the API-Key and timestamp. To do this generate a concatenated string with the api key and timestamp separated by a colon (:) then use a sha256Hex operation to generate the hash which is passed as a security token.
hash = sha256Hex(apiKey+":"+timeStamp);
Using the the timestamp and hashing the api key ensures that the API-Key is never exposed.
Submiting a method
Now that you have the security token you can pass it to one of the recording api methods.
an example call to stop recording would look like this
https://127.0.0.1:8080/servicemanager/rest/CallManagementAPI/stop?extenOrUniqueId=410&timeStamp=1392356108888&hash=595a4f537c3af3a2e34333db9aef07e1a596504a01191cb0a5e3960a65f6a4e
It should further be noted that the API will only accept POST requests.
Each method call must include the Timestamp and the hash. Each hour the timestamp and hash must be refreshed to avoid auth failures.