Authentication and Security

Heretto Deploy API ensures that your content is processed and delivered for end-user consumption securely.

Deploy API uses two methods of API authentication to ensure the secure distribution of content from Heretto CCMS to various delivery endpoints: Simple API Keys and JSON Web Tokens (JWTs). Both are managed as API Keys in the Content API interface of Heretto CCMS. For details, see Create API Keys.

Simple API Key: A Simple API Key gives the same access to every website or web application user.
JSON Web Token (JWT): A JSON Web Token (JWT) enables you to specify user access based on maps and DITAVALs.

Simple API Keys

A Simple API Key is a unique identifier used to verify that an application, developer, or user has permission to access the other application. The key is a long string of characters passed as a parameter in an API call or included in the request header.

Simple API Keys give the same access to every website or web application user.

Heretto CCMS Administrators can create and delete Simple API Keys.

JSON Web Tokens (JWTs)

A JSON Web Token (JWT) is a self-contained token that not only verifies that the application has permission to access another application but also provides additional information that specifies the granularity of access rights. If you use a JWT security method that does not include an authentication system, the token is saved as a cookie and follows the user until they close the tab.

JWTs enable you to specify user access based on maps. You can further refine user access through conditional profiling with DITAVALs. For more information about profiling content for different audiences, see Filtering and Personalization.

JWTs also enable you to embed content in another webpage or to build a website or web application.

Heretto CCMS Administrators can create and delete JSON Web Tokens (JWTs). They can also specify the access the tokens provide, for example, to the entire content set or to a particular map.

API Call Authentication

You can provide authentication for all endpoints in the HTTP header X-Deploy-API-Auth or as a URL parameter token. Both methods use the same value: the API Key provided in the Content API interface interface in Heretto CCMS.

Note:

The Content API interface is available for users added in the Administrator role to Heretto CCMS.

Content API interface with list of API keys. — Figure 1. The Content API interface with a number of API keys configured

Create API Keys

API Keys are necessary for authorizing and authenticating users, and to call Heretto Deploy API endpoints. API Keys are configured in Heretto CCMS by users assigned the Administrator in the CCMS.

Ensure you are assigned the Administrator role in Heretto CCMS.

In the top-left corner, click the Main Menu and go to Content API.
Click the New API Key and choose:
- Simple API Key
- JWT HS256 Key
A new dialog window opens.
In the window that opens, enter a name for the token.
From the Access Type choose:
- Select All Content to grant the token owner access to the entire Content Library.
- Specific Map, then click the Add file, and select a map. To grant the token owner limited access to an individual map.
Save.

Find Values of Heretto-specific API Attributes

Heretto Deploy API requires you to enter values of some attributes that are are specific to your implementation of Heretto CCMS.

Note:

In the current version of Heretto, to obtain your organizationId or Deploy API server name, contact your Customer Success Manager or our support team.

deploymentIdentifier

To find the value of deploymentIdentifier, access the Main Menu , click Deployments, and click the name of the required deployment. The deploymentIdentifier is the value of the ID field.

Gretyl's Portal

Heretto Help