Security

Clients should use HTTPS for their Auth API webhook to ensure fundamental security is in place.

Galileo will use a JSON Web Token (JWT) for authenticating with the client's webhook. A shared secret will be used for encoding and decoding the token.
The payload will have the following claims:

  • iat - Issued At
  • exp - Expiration Time
  • iss - "galileo"

The token will be created using the following Python code:

import jwt
from datetime import datetime, timedelta
payload = {
    'exp': datetime.utcnow() + timedelta(seconds=5),
    'iat': datetime.utcnow(),
    'iss': 'galileo'
}
token = jwt.encode(payload, secret, algorithm='HS256')

where secret is the shared secret.

The token will be placed in the Authorization header field.

Security Example

Here is the header value for exp = 1534274886 and iat = 1534274881:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnYWxpbGVvIiwiaWF0IjoxNTM0Mjc0ODgxLCJleHAiOjE1MzQyNzQ4ODZ9.1xUk4iNFGWLo01MyJUHXRlyrNlzwPvDMSXpN38TrblU