Skip to content

Authorization, not Authentication

AHI make a clear distinction between what is Authentication and Authorization.

  • User authentication is the process related to verifying that the person is who they say they are. For example, prior knowledge of username/email and password, or associated Social login (Facebook, Google, etc..). It is separate to user authorization.
  • User authorization is the process related to providing access to services to the authenticated user.

The user base is the responsibility of the partner, therefore AHI do not offer services to manage or implement user authentication or management solutions. However, once a user is authenticated and verified by the partner App, that user must be granted permission to AHI services through an authorization process with AHI.

In summary, authentication is "proving" that the user is who they say they are, and authorization is "granting access" to the user to the services they have permission to.

AHI suggest finding more information on the topic here.

Why do we need authorization?

A unique user ID, salt and claims ensure that all billable events can be registered to a unique user and transmitted and stored securely, thereby preventing unauthorized or potentially malicious actors from undertaking unauthorized scans or intercepting unencrypted and or manipulating billing events in transit.

How do we authorize users?

AHI MultiScan SDK authorizes a user with 3 requirements

  • userID - Unique to the user that never changes; do not use email or phone numbers as these may change.
  • salt - The salt, also known as "initiation vector", is used for signing the user, which enables secure encryption of details and greatly assists in preventing decryption of transported data. You can read more about using salt an best security practices here:
  • https://public.cyber.mil/stigs/
  • https://www.okta.com/au/identity-101/hmac/
  • claims - An array of claims unique to the user and will not change (e.g. registration date). Likewise, the order must not change. Therefore, don’t include the email, as the user could change this.