Authentication

Authentication using JSON Web Token (JWT)

Skykit API can be securely accessed using a JSON Web Token (JWT).

In order to access Skykit API using a JWT, a public/private RSA key pair is needed. The key pair can be generated through various means such as the standard openssl command-line tools, demonstrated in the example section below.

Once the key pair has been generated, please send the public key and the email address that you wish for the key to be associated with to Skykit Support (support@skykit.com), while keeping the private key hidden. Do not share your private key, as anyone possessing it may access the system on your behalf.

After the public key has been added into the system, the keys may be used to generate an access token with the following claims:

{
   "iat": <issued timestamp>,
   "exp": <expiration timestamp>,
   "iss": <email address>
}

The token is valid between the issued and expiration times, the duration of which must not exceed one hour.

Requests may be authenticated and authorized against Skykit API by attaching the access token as the Authorization HTTP request header value prefixed by Bearer and separated by a space:

Authorization: Bearer <token>

A single access token can be used with any number of requests so long as the token has not expired, includes the required claims shown above, and corresponds to a public key that has been properly registered into the system.

Client Authentication Example

The following example walks through the process of generating keys, signing JWTs, and making requests to Skykit API.

The code is written in Python but other languages and libraries may be used as well.

1. Install dependencies:

virtualenv venv
source ./venv/bin/activate
pip install python-jose requests

2. Generate keys:

Generate a private and public key-pair using OpenSSL:

openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Alternatively, generate keys in Python:

import rsa

public_key, private_key = rsa.newkeys(2048)

with open('private.pem', 'wb') as f:
    f.write(private_key.save_pkcs1())

with open('public.pem', 'wb') as f:
    f.write(public_key.save_pkcs1())

3. Register public key:

Send your public key to Skykit Support (support@skykit.com), including the email address that you wish the key to be associated with. Keep your private key safe.

4. Sign JWT:

from jose import jwt
from datetime import datetime


def seconds_since_epoch():
    epoch = datetime.utcfromtimestamp(0)
    now = datetime.utcnow()
    now_epoch_delta = now - epoch
    return int(now_epoch_delta.total_seconds())


def generate_access_token():
    with open('private.pem') as f:
        private_key = f.read()

    now_epoch_seconds = seconds_since_epoch()

    claims = {
        'iss': 'your.email@gmail.com',  # replace with the email address you use to access the Skykit Admin Console.
        'iat': now_epoch_seconds,  # issued at time
        'exp': now_epoch_seconds + 3600,  # expiration time.
    }
    return jwt.encode(claims, private_key, algorithm='RS256')


def make_headers():
    token = generate_access_token()
    headers = {'Authorization': 'Bearer {}'.format(token)}
    return headers


if __name__ == '__main__':
    print(generate_access_token())

5. Make requests to Skykit API:

from sign_jwt import make_headers
import requests

if __name__ == '__main__':
    headers = make_headers()
    uri = 'https://skykit-provisioning.appspot.com/sk-api/v1/devices'
    response = requests.get(uri, headers=headers)
    response.raise_for_status()
    print(response.json())

Additional resources

Learn more about JWT