Security
Authentication

Authentication

The primary objective of authentication is to verify the legitimacy of requests between parties, ensuring they originate from valid sources. This is crucial to prevent unauthorized access and maintain system integrity.

Server-to-Server Authentication

For server-to-server authentication, use access tokens generated as outlined in the Authorization section. This method is designed exclusively for server-to-server API requests utilizing an access token.

Client-to-Client Authentication

In this context, "Client" typically refers to the iframe container and the iframe itself.

Requests from LLM-Based Platform to Intent Provider

When the LLM-based platform embeds the Intent Provider within an iframe, the Intent Provider must verify the identity of the LLM-based platform.

Here are the steps for authenticating the LLM-based platform:

Attach Query Parameters to the Intent's URL

The LLM-based platform should append the following query parameters to the intent's URL:

  1. origin: The domain of the LLM-based platform.
  2. instanceId: A unique identifier for each instance of the intent.
  3. callbackToken: A unique token generated by the LLM-based platform for each intent instance, used by the Intent Provider for authentication when posting back data.
  4. timestamp: The current timestamp in milliseconds.

Verify the Request

Upon receiving the request, the Intent Provider should perform the following verification steps:

  1. Retrieve document.referrer from the request and compare it with the origin query parameter. Apply validation logic such as the same origin policy or root domain same origin policy.
  2. Use the app access token, obtained via the Authorization mechanism, to validate instanceId, callbackToken, and timestamp by calling https://your-platform.com/api/v1/verify?instanceId=xxx.

Requests from Intent Provider to LLM-Based Platform

The LLM-based platform must verify messages sent from the Intent Provider. The Intent Provider should include the following parameters with the message:

  1. instanceId: Ensures the message is from the correct intent instance and isolates messages from different instances.
  2. callbackToken: Typically combined with instanceId to verify message frequency. It can be valid for a single use or multiple uses, with checks on the time interval between uses.
AuthorizationPerformance