API request authorization ways
Specify an authorization key in the HTTP Header in order for any Watcher API call to be executed. The key may also affect the rights to execute requests and the results returned.
Authorization key types:
System x-vsaas-api-key can be used for billing integration. It is shown in Watcher settings. This key is valid as long as it stays unchanged. It allows to execute any requests with Super Administrator permissions except for token request at the Agent activation.
curl -v -X GET -H 'x-vsaas-api-key: 7c75da8fb314183f1f825271898a3687' -H 'content-type: application/json' http://127.0.0.1/vsaas/api/v2/cameras
The request will return the list of all cameras added in Watcher; compare to point 3 below.
x-vsaas-session should be used to implement user actions in your own app or web UI for Watcher. It is returned in response to
/vsaas/api/v2/auth/loginrequest in the session parameter. It is valid until session limit is exceeded (if the limit is set in Watcher settings or user settings, otherwise valid permanently). This key allows requests within the logged in user permissions.
For testing purposes, you can see the x-vsaas-session parameter in the request executed by Web UI (see How to use DevTools to obtain browser logs).
curl -v -X GET -H 'x-vsaas-session: W98uOoiMFf46SyE78RjWIZjsaVM' -H 'content-type: application/json' http://127.0.0.1/vsaas/api/v2/auth/whoami
The request will return all parameters of the user for whom the session is opened.
User x-vsaas-api-key can be used for billing integration with limited permissions or any other automation. You can generate it in user profile and it will be valid as long as it stays unchanged. Use this key with x-vsaas-user: user name. It allows requests within the permissions of the specified user.
curl -v -X GET -H 'x-vsaas-api-key: M8rT4KvfT3tZpCj34Qbk5CEt' -H 'x-vsaas-user: user1' -H 'content-type: application/json' http://127.0.0.1/vsaas/api/v2/cameras
The request will return the list of cameras visible to user1; compare to point 1 above.