The chat responses are generated using Generative AI technology for intuitive search and may not be entirely accurate. They are not intended as professional advice. For full details, including our use rights, privacy practices and potential export control restrictions, please refer to our Generative AI Service Terms of Use and Generative AI Service Privacy Information. As this is a test version, please let us know if something irritating comes up. Like you get recommended a chocolate fudge ice cream instead of an energy managing application. If that occurs, please use the feedback button in our contact form!

Provide Feedback

Feedback sent

Thank you for your feedback!

Provide Feedback

Please log in to provide feedback
Skip to content
Siemens Xcelerator Marketplace

API Security Guidelines

Context

This section provides security guidelines for REST APIs. Additionally, the following guidelines MUST be followed:

So, REST APIs MUST be secured with OAuth 2.0 Bearer Token Usage (RFC 6750) & TLS for the protection of external APIs exposed via HTTP.

Token Format

As token format JSON Web Token (JWT) SHOULD be used.

Security Checks

When using a JWT, the API implementation (or a provided deployment infrastructure) MUST check:

  • The token signature
  • The token expiry
  • The token issuer
  • The scope provided by the token

The API implementation (or a provided deployment infrastructure) SHOULD check:

  • The token audience

Calling secured REST APIs

When calling a secured REST API, the request header Authorization with the value Bearer <your token> SHOULD be present

Example

A simple JWT could be look like:

  • Base64 encoded: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3Rva2VuLWlzc3Vlci5zaWVtZW5zLmNvbSIsImlhdCI6MTY5OTg3NTc1OCwiZXhwIjoxNzMxNDExNzU4LCJhdWQiOiJodHRwczovL2V3cy5zaWVtZW5zLmNvbSIsInN1YiI6ImpvaG5AZG9lLmNvbSIsInNjb3BlIjpbImV3cy53ZWF0aGVyLnJlYWQiLCJld3Mud2VhdGhlci5hZG1pbiJdfQ.WwTZepkPTHrCysZ9AiLuN0k7QSDRFs-z4CxN9cvYDgA
  • Decoded payload:
{
  "iss": "https://token-issuer.siemens.com",
  "iat": 1699875758,
  "exp": 1731411758,
  "aud": "https://ews.siemens.com",
  "sub": "john@doe.com",
  "scope": [
    "ews.weather.read",
    "ews.weather.admin"
  ]
}

The call to a secured endpoint would look like

GET https://ews.siemens.com/api/weather/conditions HTTP/1.1
Accept: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3Rva2VuLWlzc3Vlci5zaWVtZW5zLmNvbSIsImlhdCI6MTY5OTg3NTc1OCwiZXhwIjoxNzMxNDExNzU4LCJhdWQiOiJodHRwczovL2V3cy5zaWVtZW5zLmNvbSIsInN1YiI6ImpvaG5AZG9lLmNvbSIsInNjb3BlIjpbImV3cy53ZWF0aGVyLnJlYWQiLCJld3Mud2VhdGhlci5hZG1pbiJdfQ.WwTZepkPTHrCysZ9AiLuN0k7QSDRFs-z4CxN9cvYDgA

Additional Security Protection

When applicable, other security protection mechanisms MAY be used, e.g. X.509 certificate authentication.

Contact us