Reference

Basics

Below is a quick guide on how to integrate Almefy in your project to test it easily. We are preparing a comprehensive documentation covering all possible use cases and parameters.

Notice: This documentation is work in progress.

Authentication

We use signed Json Web Tokens (JWT) for API authentication. To provide maximum security, we also use additional claims related to the request.

Response Codes

These are the general response codes used by the Almefy API. If special handling is required, the appropriate response codes are noted below at each section.

CodeDescription
200Ok, resource was updated
201Ok, resource was created
202Ok, request was accepted
204Ok, but no content is returned
400Submitted data is invalid
401Unauthorized access
403Forbidden, insufficient credentials
404Resource not Found
410Resource is gone
423Resource is locked
429Too many requests
500Something went wrong on Almefy's end

Request Errors

Whenever an error occurs, the API will return a response structure similar to this (based on the "Problem Details" described in RFC7807open in new window):

{
  "type": "https:\/\/docs.almefy.com\/api\/errors.html",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Full authentication is required to access this resource.",
  "instance": "\/v1\/entity\/identities\/enroll"
}

Invalid Data

Whenever invalid data is submitted, the 400 status code is returned to the client, with a response structure similar to this (based on the "Problem Details" described in RFC7807open in new window):

{
  "type": "https:\/\/docs.almefy.com\/api\/errors.html",
  "title": "Bad Request",
  "status": 400,
  "detail": "Validation errors occurred. Please confirm the fields and submit again.",
  "instance": "\/v1\/entity\/challenges",
  "errors": {
    "authType": [
      {
        "code": "8e179f1b-97aa-4560-a02f-2a8b42e49df7",
        "message": "The value you selected is not a valid choice."
      }
    ]
  }
}

The errors object enumerates all fields that raised errors, and each field provides a code constant, and a message description.

Identities

Create Identity

POST /v1/entity/identities

Retrieve Identity

GET /v1/entity/identities/:identifier

Update Identity

POST /v1/entity/identities/:identifier

Delete Identity

Delete Identity on the Almefy cloud. A User with this identifier won't be able to authenticate using Almefy anymore.

DELETE /v1/entity/identities/:identifier
ParameterTypeDescription
identifierStringUnique identifier for Identity (email, username, id, hash, ...)

Response

CodeDescription
204Identity was deleted
404Identity does not exist

List all Identities

GET /v1/entity/identities

Enroll Identity

Start enrollment process for Identity by creating an Enrollment Token, which can be used to provision a Device.

POST /v1/entity/identities/enroll
ParameterTypeDescription
identifierStringUnique identifier for Identity (email, username, id, hash, ...)
nicknameStringHuman readable nickname, if identifier is id/hash
sendEmailBooleanIf enabled, you can use Almefy to send the enrollment Email
sendEmailToStringThe address to send the email to
sendEmailLocaleStringAny locale or language for the email
roleStringA custom user role. ROLE_USER is default
timeoutIntegerOverwrite enrollment timeout if necessary

Note: Bold parameters are mandatory, Italic optional

Response

id: Enrollment Token Id
createdAt: UTC Date
expiresAt: UTC Date
base64ImageData: Enrollment Image Data
identity: # Identity to Enroll
  id: Identity Id
  createdAt: UTC Date
  locked: Boolean
  identifier: Unique identifier for Identity
  nickname: Readable nickname in case identifier is any Id/Hash
  label: A helper field that displays nickname instead of identifier if provided
  role: A role associated with this Identity during enrollment
  tokens: # Array of Devices associated with Identity
    id: Token Id
    createdAt: UTC Date
    name: A displayable Device name (model and label concatenated)
    model: Device Model
    label: Custom Device Label
CodeDescription
200Enrollment token created for existing Identity
201Enrollment token created for new Identity

Rename Identity

Authentication Challenges

Create Challenge

Every authentication starts by creating an Authentication Challenge that needs to be processed by the Almefy app during a common challenge-response workflow. The response provides a challenge id as part of an image. If returnAuthImageData is set to true, the response will also contain the base64 image data of enabled auth images.

POST /v1/entity/challenges
ParameterTypeDescription
keyStringThe ALMEFY API key
returnAuthImageDataBooleanWhether the auth images should be returned as base64 data, or just URLs

Note: Bold parameters are mandatory, Italic optional

Response

id: Challenge Id
createdAt: UTC Date
expiresAt: UTC Date
authType: The authentication type, currently only "web"
authImages: List of authentication image URLs
  qrcode-standard: URL
  qrcode-extended: URL
  ...
authImagesData: Array of authentication image data (base64) if "returnAuthImageData" is "true"
  qrcode-standard: Base64 image data
  qrcode-extended: Base64 image data
  ...
pollingUrl: URL for checking the signing status
authTokenUrl: URL for retrieving the authentication token once the challenge is signed
socketsUrl: URL for the Websocket server (WIP)

Check Challenge Status

Once a challenge is created, it can be checked for any status change.

GET /v1/entity/challenges/:id/status
ParameterTypeDescription
idStringThe challenge id from response above

Note: Bold parameters are mandatory, Italic optional

Please Notice

This long-polling request is being hold approximately one second, until the response returns.

Response

# The 200 status response will contain the authentication token
token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOweqwe2241dgweiIw2324ew23qd ...
CodeDescription
200Challenge was signed, the JSON response will contain a token (see also Process Auth Token)
204Challenge was not signed yet
404Challenge could not be found
410Challenge has expired