Creating An Approver
This article explains how to use the Approver Management REST API to create approvers that can be onboarded to the Securosys Authorization App on your mobile device.
Create Approver-Key
The Approver Manager initiates the creation of approver-key(s) using the REST API by following the steps below (either swagger or by CURL).
Currently, there is no user interface available for creating or managing Approver Keys. For now, please use CURL or Swagger for these tasks.
POST: /v1/approverManagement/create
- Swagger
- CURL
{
"approverName": "finance-officer@securosys.com",
"algorithm": "RSA",
"keySize": 2048,
"backupPassword": "6se1Qbsi3bJshe",
"validity": 3650,
"qrCode": true
}
Parameter Description
| Parameter | Description |
|---|---|
| approverName | The email address of the Approver, e.g., officer1@securosys.com. |
| algorithm | The key algorithm to be used by the Approver. Supported algorithms: RSA. |
| keySize | The size of the Approver's key. Supported sizes: 2048, 3072, 4096 bits. |
| backupPassword | The password for the P12 container, used during registration and restoration processes. This password must be sent to the Approver (Mobile Application User) and should be kept securely. It is required if the Mobile User needs to re-register the Approver (e.g., due to a phone change or loss). |
| validity | The validity period of the Approver's certificate, in days. Certificates are generated on the fly. For example, 3650 days equals 10 years. |
| qrCode | If true, the response includes a QR code that can be scanned with the Authorization App to onboard the approver. |
Response:
- If
"qrCode": true, the response includes a QR code image to scan in the Authorization App. - If
"qrCode": false, the response returns aoneTimeCodethat must be securely shared with the approver to fetch their key.
{
"oneTimeCode": "410447"
}
curl -X PUT -H "Authorization: Bearer ey..." \
https://sbx-rest-api.cloudshsm.com/v1/approverManagement/create --json '{
"approverName": "officer1@securosys.com",
"algorithm": "RSA",
"keySize": 2048,
"backupPassword": "2al152aL",
"validity": 3650,
"qrCode": false
}'
Parameter Description
| Parameter | Description |
|---|---|
| approverName | The email address of the Approver, e.g., officer1@securosys.com. |
| algorithm | The key algorithm to be used by the Approver. Supported algorithms: RSA. |
| keySize | The size of the Approver's key. Supported sizes: 2048, 3072, 4096 bits. |
| backupPassword | The password for the P12 container, used during registration and restoration processes. This password must be sent to the Approver (Mobile Application User) and should be kept securely. It is required if the Mobile User needs to re-register the Approver (e.g., due to a phone change or loss). |
| validity | The validity period of the Approver's certificate, in days. Certificates are generated on the fly. For example, 3650 days equals 10 years. |
Response: Response is a oneTimeCode to be sent to the approver to fetch the approver-key
{
"oneTimeCode": "410447"
}
In case of using API-KEY's add the following header to the CURL-Command: -H "X-API-KEY: tsb-x-token_07..."
As an Approver Manager, now that you have prepared the Approver account, give the following details to the human Approver. The user needs them to onboard in the Securosys Authorization App.
-
If you send
"qrCode": truein the request:- The QR code image and the
backupPassword.
- The QR code image and the
-
If you send
"qrCode": false:oneTimeCode,backupPassword,REST API URL, andapproverName
The oneTimeCode can only be used once. If re-registration is required, follow this guide.
Whats next?
- Register Approver on the Securosys Authorization App
- Verify Onboarding Status
- Create a Policy based Key that specifies which approvers need to sign off on operations using this key.