Authorization with Fiskaly

[TomoLV]

While integrating fiskaly-sdk-swift with our client's app it turned out that they would prefer not to have API_KEY and API_SECRET exposed to the iOS application. Because of that, I have a question regarding request authentication:

Is it possible to initialize FiskalyHttpClient without providing API_KEY and API_SECRET and authenticate each request by adding access_token (received from our client's backend) to the headers as ["Authorization", "Bearer {{access_token}}"]?

let responseCreateTransaction = try client.request(
        method: "PUT",
        path: "tss/\(tssUUID)/tx/\(transactionUUID)",
        headers: ["Authorization": "Bearer {{token}}"],
        body: transactionBodyEncoded!)

UPDATE: I've tried to accomplish that by initializing FiskalyHttpClient(apiKey: "dummy_key", apiSecret: "dummy_secret", baseUrl: "https://kassensichv.io/api/v1/") and then adding authorization header to the request as described above.

As a result I'm getting following error: {"status_code":401,"error":"Method Not Allowed","message":"Invalid credentials"}

[prempador]

Hello @TomoLV ,

It is not possible to do this. I have some questions reagarding this:

• What do you mean with "received from our client's backend"
• Why do you want to get an accessToken from a backend but can't get the Key-Pair from the backend?
• Any more reasons for us to consider implementing such functionality?

Best, @prempador

[TomoLV]

@prempador Thank you for such a fast response.

Here are answers to your questions:

• "Received from our client's backend" means that backend provides an API endpoint that returns access_token and refresh_token (backend is managing the tokens and simply passes them via this endpoint)
• Currently it is client's preference not to expose the Key-Pair due to security concerns
• I'm going to come back to the client to have some more discussions regarding this topic - I will let you know what is the conclusion

@TomoLV

[prempador]

backend is managing the tokens and simply passes them via this endpoint

So your backend (or the clients backend) is doing authorization with our auth endpoints, with the credentials saved in your backend.

Currently it is client's preference not to expose the Key-Pair due to security concerns

Same should be said about AT and RT

[TomoLV]

@prempador That's correct.

We've come to a conclusion that API Key/Secret pair (instead of AT/RT) is going to be exposed by the client's backend.