API Authentication

Description: Learn how Altostrat SDX organizes its public Developer API, SPA application APIs, and internal infrastructure endpoints—and how to securely authenticate each one.

Table of Contents:

Overview

The Altostrat SDX platform provides multiple APIs for different use cases:

  1. Developer API (public):
  • Intended for external teams or individual users who want to integrate or build on top of Altostrat’s services.
  • Authenticates via bearer tokens (issued to the user’s team), which you include in the Authorization header.
  1. SPA Application APIs:
  • Primarily consumed by Altostrat’s own web app components or official client applications.
  • Uses JWT bearer tokens obtained from an OAuth2 process to access protected endpoints.
  • Typically not directly called by end-user code, since the SPA device manages its own token flow.
  1. Internal (Machine-to-Machine) APIs:
  • Used within Altostrat’s infrastructure for communication between microservices (e.g., job queues, event triggers).
  • These endpoints are not publicly accessible and do not accept user-facing tokens.

Developer API Authentication

When calling the Developer API, you must include a bearer token in the Authorization header of every request:

Bearer 0000-0000-0000-0000-0000:0000-0000-0000-0000-0000:abc…
  • Each bearer token is tied to a specific team and can only manage resources owned by that team.
  • Requests are limited to 60 requests per minute per token.
  • All requests must be in JSON format, and you should include the relevant header:

Example Request:

GET /api/resource
Authorization: Bearer 0000-0000-0000-0000-0000:0000-0000-0000-0000-0000:abc…
Content-Type: application/json

Keep your tokens secure to protect against unauthorized access to your resources.

SPA Application APIs

  • The SPA device or companion software obtains a JWT bearer token via an OAuth2 flow.
  • Once authenticated, it includes the JWT in its Authorization: Bearer header for all subsequent calls.
  • These tokens are ephemeral and are exchanged or renewed automatically by the SPA environment.

Internal Machine-to-Machine APIs

  • Used by Altostrat’s backend services for tasks such as provisioning, deployments, and other internal orchestration.
  • Not publicly documented or accessible outside of Altostrat’s secured infrastructure.
  • Typically authenticated by ephemeral, short-lived tokens or credentials that are not exposed to end users.

Summary

  • Developer API: For external integrations. Uses an API key that issues a Bearer token.
  • SPA APIs: Consumed by Altostrat’s Single-Board Appliance; uses JWT from OAuth2 for each session.
  • Internal APIs: Machine-to-machine endpoints; not publicly exposed.

Refer to each API’s documentation for detailed endpoint references, request/response formats, and usage guidelines.

Was this page helpful?