layoutElementContent.uuid: 105362
Resources > API > Betavine API > Reference Guide > Authentication
layoutElementContent.uuid: 105592 Document Name 105592 Document UUID 105593

Authentication

User Authentication

To authenticate users the Vodafone Betavine API uses an anonymous random token called a User Application ID or UAID . This is different from the traditional username and password authentication.

The UAID is also used to identify the application using the API. This information is used to discover the popular applications of Vodafone Betavine in terms of usage, not just downloads. An application downloaded multiple times may be used as frequently as another less popular application.

Using a UAID removes any information from the authentication process that can be used to identify a user. The applications which are using the API cannot be trusted. For example an application may be collecting user information which could then be used for malicious purposes. (E.g. Phishing ) Betavine does not offer the facility to check all applications using the API.

The Betavine API does not require the digital signing of an application. Signing an application may not be possible for applications run on resource limited devices or services which are subject to continual change such as web-based mashups.

If a user discovers that their UAID has been compromised and a malicious application has been using up all their credit then they should go to the Vodafone Betavine web site to renew their UAID. The Vodafone Betavine web site is the only way to renew a UAID. It requires that the user must have authenticated with the web site using their Vodafone Betavine credentials.

Untrusted Applications

Vodafone Betavine assumes that the link between the Vodafone Betavine web site and the user can be trusted. It is the only way to check the amount of credits a user owns. This prevents an attack by which an application will target particular UAIDs by how much credit they own and how often they receive credit.

Credit Visibility

The above diagram shows the limited visibility of the applications using the Vodafone Betavine API. This means that applications cannot directly query the credit framework. This prevents applications collecting UAIDs and darting accounts based on their level of usage.

Developer Authentication

Users of the Vodafone Betavine site who have registered as developers have the ability to test the API in a sandbox. The sandbox acts uses the same API methods but does not result in any creditable transaction. For example when invoking send/sms you will receive the correct response but the message will not actually be sent.

layoutElementContent.uuid: 105358