4.2.2.15.1. HTTP Client Authentication – Babelway

Most internet services are protected by some level of authentication. In our gateway, you can set up a "Global authentication" (configure it once, and reuse it in multiple calls) or configure your authentication individually per call.

Global Authentication

Global authentication is configured by clicking on this icon:

Use global authentication when you will be interacting with the same system over and over in order to avoid repeating your configuration and having to update or refresh information in each call when updates come up.

Authentication at Call Level

Authentication can also be configured at call level and has exactly the same options only it is run before that individual call and cannot be reused in other calls.

Authentication Types

We support the following authentication types: (Basic, Digest, NTLM, Any, Cert, Form, OAuth 1a, OAuth 2.0 with Bearer, OAuth 2.0 with Credentials). The partner hosting the HTTP server should inform you of the best authentication method to use with their system.

None	By default, no authentication is set on calls. This will typically be used for public lookup services exposing URIs to "GET" requests. Most substantive API calls, will require some form of authentication however.
Basic	Basic authentication is a straightforward method of authentication where the username and password are sent in Base64 encoding within the `Authorization` header. Best used over HTTPS for security. - username: username used in the authentication - password: password for above username - preemptive authentication: In a call, preemptive authentication means that the authentication headers are sent directly in the call as opposed to having an initial back and forth between us and the partner's server for authentication. If you don't know what to do with this, leave it unchecked. - trust level:The trust level defines the level of security used in the SSL handshake (default is 'standard'). Relax = No certificate verification. Standard = trusting certificates in environment certificates as well as known CA's. Paranoiac = only trusts certificates defined in the environment certificates. Mutual = requires 2-way authentication. - Valid HTTP return codes: Comma separated list of expected return Http codes. If the return code is not in the list, the polling throws an error. The default is '200,201,202,204,205'.
Digest	A secure alternative to BASIC authentication that transmits hashed credentials to prevent password exposure. - username: username used in the authentication - password: password for above username - preemptive authentication: In a call, preemptive authentication means that the authentication headers are sent directly in the call as opposed to having an initial back and forth between us and the partner's server for authentication. If you don't know what to do with this, leave it unchecked. - trust level:The trust level defines the level of security used in the SSL handshake (default is 'standard'). Relax = No certificate verification. Standard = trusting certificates in environment certificates as well as known CA's. Paranoiac = only trusts certificates defined in the environment certificates. Mutual = requires 2-way authentication. - Valid HTTP return code: Comma separated list of expected return Http codes. If the return code is not in the list, the polling throws an error. The default is '200,201,202,204,205'.
Any	"Any" means that we will take the username/password combination and use it in the request without imposing a realm or a port. We adapt to the challenge the target server requires in responding to the request. - username: username used in the authentication - password: password for above username - trust level:The trust level defines the level of security used in the SSL handshake (default is 'standard'). Relax = No certificate verification. Standard = trusting certificates in environment certificates as well as known CA's. Paranoiac = only trusts certificates defined in the environment certificates. Mutual = requires 2-way authentication. - Valid HTTP return code: Comma separated list of expected return Http codes. If the return code is not in the list, the polling throws an error. The default is '200,201,202,204,205'.
NTLM	A Microsoft-proprietary authentication protocol used for securing connections in Windows-based networks. It supports challenge-response mechanisms for enhanced security. - username: username used in the authentication - password: password for above username - trust level:The trust level defines the level of security used in the SSL handshake (default is 'standard'). Relax = No certificate verification. Standard = trusting certificates in environment certificates as well as known CA's. Paranoiac = only trusts certificates defined in the environment certificates. Mutual = requires 2-way authentication. - Valid HTTP return code: Comma separated list of expected return Http codes. If the return code is not in the list, the polling throws an error. The default is '200,201,202,204,205'.
OAuth 1.0a	A token-based authentication using signed requests. - OAuth1 Signature Method: Specifies the algorithm used to sign the request. This ensures the integrity and authenticity of the message. HmacSHA1: A widely used cryptographic algorithm that combines a hash function (SHA-1) with a secret key to sign the request (moderately secure). HmacSHA256: Similar to HmacSHA1 but uses the more secure SHA-256 hash function for signing the request. (highly secure) SHA1withRSA: A public-key cryptography method that uses RSA and the SHA-1 hash function to sign requests. The private key is used to create the signature, and the corresponding public key is used for verification. (moderately secure) PlainText: A simple signature method that does not hash or encrypt the data. It directly uses the consumer secret and token secret as the signature. (not very secure) - OAuth1 Consumer Key: A public identifier issued to the client by the OAuth server. It is used to identify the client application making the request. - OAuth1 Consumer Secret (optional): A secret key shared between the client and the server, used to sign requests in combination with the token secret. - OAuth1 Token: A temporary or permanent token issued to the client after successful authentication. It represents the user's authorization to access their resources. - OAuth1 Token Secret (optional): A secret associated with the OAuth1 Token, used to sign requests along with the Consumer Secret. - OAuth1 Key Alias: An optional alias used to reference your key. This is used if you've required SHA1withRSA signature method. - OAuth1 Realm (optional): Specifies the protection space (or domain) the credentials apply to. It is often used to group resources requiring authentication under a specific namespace. Typically included in the Authorization header, but its usage is optional and server-specific.
OAuth 2	A modern and widely used authorization protocol that separates resource owner credentials from the client app. <TODO>
CERT	Uses client certificates for authentication. The client presents a digital certificate to the server, proving its identity, typically used in secure corporate environments. - Certificate Alias: Alias identifying the key tied to the public certificate you have agreed upon with your partner for the exchange. It allows us to sign the exchange.
OAuth 2 Client credentials	Refers to OAuth2 flows that authenticate using client credentials, commonly used for server-to-server interactions. <TODO> - I don't understand the fields.
OAuth 2 With bearer	OAuth 2.0 with Bearer tokens, a widely used authorization framework where access tokens are sent in the `Authorization` header to grant access. - Bearer: Bearer token to be added to the header.
Implicit OAuth1 token	This feature is only accessible when using Babelway through a Tradeshift App. In that case, your Tradeshift's OAuth1 integration token will be used if available.