Skip to end of metadata
Go to start of metadata

To keep your application data secure from unauthorized access, your application must prove that it is allowed to communicate with Mobile Backend Services (MBS) in each HTTP request. There are two ways your application can do this:

  • Application key over SSL
  • 2-Legged OAuth

To authenticate user access to individual MBS data objects within your application, such as Photos or Files, you can use access control lists (ACLs). See Access Control Lists for more information.

Application key over SSL

The easiest way to authenticate API requests to MBS is to supply an MBS app key with each request as a URL parameter, for example:

MBS defaults to using application key over SSL.

To locate your application key in Dashboard:

  1. Open Dashboard in your browser and select your MBS application from the Projects tab.
  2. From the left-hand navigation, select Configuration.

  3. On the Keys tab, click Show next to the App Key label to show your application key. 

2-Legged OAuth

If SSL is not available to the client application, MBS also provides secure authentication via 2-Legged OAuth. In this process, an authentication key and secret are used to sign each request made by your application to MBS. When the MBS server receives the request, the secret and the data sent in the request are used to calculate another signature. If the received and calculated signatures match, the request is processed.

Over a non-SSL connection, OAuth is more secure than the application key approach, as the secret used to generate the signature is known only by the app and the MBS server; it is never sent over the network.

Below is an example of an OAuth HTTP header:

To locate your OAuth consumer key and secret in Dashboard:

  1. Open Dashboard and select your application from the Projects tab.
  2. From the left-hand navigation, select Configuration.
  3. On the Keys tab, click Show next to the OAuth Consumer Key and OAuth Secret labels.

OAuth example

Most OAuth libraries that support standard (3-Legged) OAuth—such as those used by Facebook, Twitter, and others—also supports 2-legged OAuth. The following is an example of making a 2-Legged OAuth request using Ruby. Provide your MBS OAuth consumer key and secret for the consumer_key and consumer_secret fields. Use an empty string ("") as both the Access Token and Secret.

Access Control Lists (ACLs)

Access Control Lists (ACLs) provide several APIs to implement access control lists for MBS objects. An access control list controls read and write access to MBS objects it's attached to. Please refer to Access Control Lists for more information.