OtpOne is an API used to provide an easy way to protect applications and web sites using a Smartphone, a Security Key, Windows Hello or a Certificate.

You can use the APi in any programmation language which supports web request. You can use OtpOne in Zapier, Microsoft Flow, WordPress plugin and in many other applications as well.

To get your API key, please ask us using our contact form or drop us an email: (BETA release)

https://www.otpone.com/contact or send us an email at [email protected]

Note: You need to have OtpOne configured on your Smartphone to login and to register.

You will obtain two main keys for each API keys you will request:

The server key begins with SRV like SRV-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. This key is used to request elements from the server side. This key don’t have a place in JavaScript or in a client application, you have to use it only on the server side for security reason. This key will gives you all necessary accesses to the server side requests.

The client key begins with JS like JS-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx. This key is used on the client side. On a web page the key will be used in JavaScript, on a desktop client/server application scenario this key will be used in the client application as well. This key will give you all necessary accesses to client requests.

To simplify the implementation, we have documented our APi using Swagger description and testing tool.

You can get the swagger GUI for help and testing here:

https://api.otpone.com/swagger/ui/index

The Swagger JSON API description is here:

https://api.otpone.com/swagger/docs/v1

To use a Smartphone, a Security Key, Windows Hello, or a Certificate to validate a user request (Authentication, Workflow, Signature, etc…) you have to follow a simple process. The same simple process is used if you want to use the mobile picture and document scan or the mobile signature function.

You have three types of requests possible:

• Standard request type: The client sends the customer request, the server checks the answer after the customer validation.
• Ditributed request type: The server sends the customer request, the client gets the answer after the customer validation.
• Server only request type: The server sends the customer request and checks the answer after the customer validation.

In a standrard request like a login, a workflow validation or a user signature on a web page, the server requests a Transaction ID, and give it to the client. Then the client sends a validation request to the customer. The customer validate his identity in the client page. The client page receive a token. The token is send back to the server for validation.

Server side: Your web server. (Or your application server)

Client side: Your web page. (Or your client application)

Customer side: The Smartphone, Security Key or Certificate owned by the customer, who will confirm his identity.

The process :

1. Get a Transaction ID. (Server side)
2. Load the necessary HTML and JavaScript in your web page. (Client side)
3. Customer confirm his Identity. (Customer side)
4. Verify the received token. (Server side)

Note: In a desktop application you won’t download any HTML or JavaScript but use a component.

otpone api passwordless

1. Get a Transaction ID (Server side)

Create a getTransactionID request on the server. (GET or POST):

getTransactionID description and test

privateToken: is not used in this type of request.

You can define different type of request:

2. Load the necessary HTML and JavaScript in your web page. (Client side)

The client web page needs some JavaScript, HTML and CSS to correctly send or valid the user identity. To simplify your code, you can use a function on the server side and write the result on your client web page.

Use GetHTML function to get the HTML, JavaScript and CSS needed.

GetHTML request description and test

FormID : Enter you ID form you have defined in your website, the setting in used to send the token back after the user has valided the request.

Pagetype: Is used to define the type of validation or digitalization you want: Smartphone, Security Key, Certificate, etc…

3. Customer confirm his identity. (Customer side)

The Customer (End user) has to confim his identity using the validation type used in the PageType.

4. Verify the received token. (Server side)

After the user has finished his action you will obtain a token if the user has valided the request. You HAVE to verify this token in order to close the request process.

VerifyToken description and test

The result has a lot of information depending on the type of the request you made.

Some important part in the function result :

Note: If the user doesn’t accept the request the request will be not redirected to your server.

Distributed requests provides you a way to implement a Client/Server scenario. The client asks for a validation or a digitalization function on your server. Your server sends a request to the Customer. The Transaction ID is given back to the client. The client will receive the result when the user has complete the transaction.

Server side: Your web server or your application server.

Client side: Your client application.

Customer side: The Smartphone, Security Key or Certificate owned by the customer, who will confirm his Identity.

The process :

1. Get a Transaction ID. (Server side) 
2. Verify if the transaction is complete using Transaction ID. (Client side) 
3. The Customer confirm his identity. (Customer side)
4. Receive the result. (Client side)

Note: This type of request can be used to cover none Web-Client – Server scenario.

In some cases you may want to request a phone validation directly from the server side without client interaction. This kind of request can be used when the cient is not compatible with JavaScript or not compatible with a client component. For example, a server only request is used for Zapier and Microsoft flow integration.

Server side: Your web server or your application server.

Client side: – not client side.

Customer side: The mobile phone validation who will confirm his Identity. (Currently, only the phone validation is supported in a server only request).

The process :

1. Request a serverOnlyRequest. (Server side)
2. Customer confirm his Identity. (Customer side)

Note: This type of request is limited but in some case very helpfull.

1. Get a Transaction ID. (Server side)

Create a SendRequest request on the server (GET or POST):

SendRequest description and test

You can define different type of request:

2. Customer confirm his Identity. (Customer side)

The Customer (End user) have to confim his validation using the validation type used in the PageType.

3. The result must be controled.

The result has a lot of information depending of the type for request you have made.

Some important part in the function result :

Note: This type of request can timeout if the customer (End user) doesn’t respond fast enougth. (2 min).