We're building a product that helps move cash between accounts. How could we accomplish this in Banno?
Would Transfers work at all?
For jXchange, the transfer (XferAdd) behavior includes error checking that both the from and to accounts are the same customer. If that is not the use case, then a pair of TrnAdd are used instead.
[Edited] The Banno Digital Toolkit doesn’t have APIs available to do the transfers themselves.
However, it’s possible to get the unmasked account number via a specific account number API endpoint so that would probably work for your use case.
Alternatively, you could use jXchange's REST or SOAP APIs to do this.
Related
We are providing websites/CMS solutions for more than 2500 customers. Almost all websites have google-map module. So since google changed its map usage policy, from one day to another all those webs had an error on their map modules. We need to come up with some quick (and dirty) solution. We decided to use multiple api-keys, and devide domains between them - alphabetic. And we registered all those 2500+ domains under these keys - manually. One by one.
The solution worked until last week. Now we somehow reached some kind of limit, as we cannot register any new domains/referrers under one of those api-keys. The actual count of domains/referrer of this given api-key: 1537. The saving process yields an error with tracking code (which is every time I try different).
Is there really some kind of limit? Does anyone experienced the same problems. Does some time-economic solution exists?
Thanks for any help or suggestions. Peace!
There is indeed a limit of (at time of writing) about 1,000 referer restrictions per API key. You can create about 100 keys per project, so you can authenticate 100,000 domains with a single project. To proceed further, you can create multiple projects (note that multiple projects can be combined under the same billing account, so you would still receive a single bill).
As a short term fix, you can temporarily remove all restrictions on the key, so that apps relying on that key are functional again. Then you can take the time to release a new key sharding pattern that follows these guidelines.
I just created a feature request so that the situation can be improved, for this use case ("star" it, to be notified of updates).
Google has recently released an alpha version of API that allows manage API keys programmatically.
The best way to handle thousands of authorized domains is to use an API to programmatically manage your API Keys and their restrictions, and we have recently launched a new service that allows you to do this.
This API is still in Alpha. If you are interested in becoming a Trusted Tester for this service, you can use the following form to sign up, please read the instructions carefully:
https://forms.gle/qx2SMcarWCAsbWVp7
Please note that this API is not part of the Google Maps Platform. After you fill out the form, you will be contacted by the API Keys API team with instructions on how to get started, and how to receive support.
API Keys API is currently free of charge. However, please note that use of Cloud Endpoints may be subject to charges at high traffic volume. You can check the pricing sheet here:
https://cloud.google.com/endpoints/pricing-and-quotas
source: https://issuetracker.google.com/issues/35829646#comment12
Hope this helps!
I am currently working on a REST/JSON API that has to provide some services through remote websites. I do not know the end-customers of these websites and they would/should not have an account on the API server. The only accounts existent on the API server would be the accounts identifying the websites. Since this is all RESTful and therefore all communication would be between end-user browser (through javascript/JSON) and my REST API service, how can I make sure that the system won't be abused by 3rd parties interested in increasing the middleman's bill? (where the middleman is the owner of the website reselling my services). What authentication methods would you recommend that would work and would prevent users from just taking the js code from the website and call it 1000000 times just to bankrupt the website owner? I was thinking of using the HTTP_REFERER , and translate that to IP address (to find out which server is hosting the code, and authenticate based on this IP), but I presume the HTTP_REFERER can easily be spoofed. I'm not looking for my customer's end customers to register on the API server, this would defeat the purpose of this API.
Some ideas please?
Thanks,
Dan
This might not be an option for you, but what I've done before in this case is to make a proxy on top of the REST calls. The website calls its own internal service and then that service calls your REST calls. The advantage is that, like you said, no one can hit your REST calls directly or try to spoof calls.
Failing that, you could implement an authentication scheme like HMAC (http://en.wikipedia.org/wiki/Hash-based_message_authentication_code). I've seen a lot of APIs use this.
Using HMAC-SHA1 for API authentication - how to store the client password securely?
Here is what Java code might look like to authenticate: http://support.ooyala.com/developers/documentation/api/signature_java.html
Either way I think you'll have to do some work server side. Otherwise people might be able to reverse engineer the API if everything is purely client side.
We are integrating the Box into our application for iOS. We would like the user’s info – particularly user name. We use the method GET /users. It works well with private users and regular users on enterprise account, but is a bit inconvenient for enterprise administrator. We get the list of all the users in this account.
Is it possible to distinguish the particular administrator name from this list? Is it the first name in the list?
Use
GET /users/{user id}
To get information of an individual user. Regarding whether you can distinguish an admin in the list, you cannot do that for now. Atleast, they do not support it for now
I would just like to add that the users endpoint is one for which the Box Platform team is still adding features before we take the V2 API out of beta. Currently, you may find more possibilities with the V1 API, in particular, the get_account_info call. However, it's best to use the V2 API as much as possible, since the V1 will be deprecated soon.
i'm looking at building some mobile applications. Therefore, these apps will 'talk' to my server via JSON and via REST (eg. put, post, etc).
If I want to make sure a client phone app is trying to do something that requires some 'permission', how to people handle this?
For example:
Our website sells things -> tv's, car's, dresses, etc. The api will
allow people to browse the shop and purchase items. To buy, you need
to be 'logged in'. I need to make sure that the person who is using
their mobile phone, is really them.
How can this be done?
I've had a look at how twitter does it with their OAuth .. and it looks like they have a number of values in a REQUEST HEADER? If so (and I sorta like this approach), is it possible that I can use another 3rd party as the website to store the username / password (eg. twitter or Facebook are the OAuth providers) .. and all I do is somehow retrieve the custom header data .. and make sure it exists in my db .. else .. get them to authenticate with their OAuth provider?
Or is there another way?
PS. I really don't like the idea of having an API key - I feel that it can be too easily handed to another person, to use (which we can't take the risk).
Our website sells things -> tv's, car's, dresses, etc. The api will
allow people to browse the shop and purchase items. To buy, you need
to be 'logged in'. I need to make sure that the person who is using
their mobile phone, is really them.
If this really is a requirement then you need to store user identities in your system. The most popular form of identity tracking is via username and password.
I've had a look at how twitter does it with their OAuth .. and it
looks like they have a number of values in a REQUEST HEADER? If so
(and I sorta like this approach), is it possible that I can use
another 3rd party as the website to store the username / password (eg.
twitter or Facebook are the OAuth providers) .. and all I do is
somehow retrieve the custom header data .. and make sure it exists in
my db .. else .. get them to authenticate with their OAuth provider?
You are confusing two differing technologies here, OpenID and OAuth (don't feel bad, many people get tripped up on this). OpenID allows you to defer identify tracking and authentication to a provider, and then accept these identities in your application, as the acceptor or relying party. OAuth on the other hand allows an application (consumer) to access user data that belongs to another application or system, without compromising that other applications core security. You would stand up OAuth if you wanted third party developers to access your API on behalf of your users (which is not something you have stated you want to do).
For your stated requirements you can definitely take a look at integrating Open ID into your application. There are many libraries available for integration, but since you asked for an agnostic answer I will not list any of them.
Or is there another way?
Of course. You can store user id's in your system and use basic or digest authentication to secure your API. Basic authentication requires only one (easily computed) additional header on your requests:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
If you use either basic or digest authentication then make sure that your API endpoints are protected with SSL, as otherwise user credentials can easily be sniffed over-the-air. You could also fore go user identification and instead effectively authenticate the user at checkout via credit card information, but that's a judgement call.
As RESTful services uses HTTP calls, you could relay on HTTP Basic Authentication for security purposes. It's simple, direct and is already supported for the protocol; and if you wan't an additional security in transport you could use SSL. Well established products like IBM Websphere Process Server use this approach.
The other way is to build your own security framework according to your application needs. For example, if you wan't your service only to be consumed by certain devices, you'll need maybe to send an encoded token as a header over the wire to verify that the request come from an authorized source. Amazon has an interesting way to do this , you can check it here.
Myself mendy, i am designing web application, The business required to integrate payment gateway. I searched on site regarding the flow but i could not get much info on MSDN. I want to make payment gateway using SSL and 3rd party merchant account. How can i do it ? some info regarding payment gateway could guid me to start developing the component.
You'll need to hook up with somebody like PayPal to process your payments. They will provide you with documentation and possibly a library to access their service.
Note that your payment processor is not necessarily the same company as your merchant account.
I'm assuming you wish to integrate with a payment gateway, not write your own?
If so, the answer is that it depends on the gateway that you intend to use. Each has their own API.
We use Iridium Corp for our products in the UK - they provide a bunch of .net components that you can just call from your code. Paypal will provide a well-documented API. So will some of the other big ones.
If you want some tips, you could look at some of the open-source shopping carts, which all have code to integrate to many of the big payment gateways.
Hope that helps...
Jake.
You should give wepay.com a try. There is now a C# SDK available with a few example here: http://bradoyler.com/post/29357874298/wepaysdk