Api gateway

This feature exists to securizing third party backends easily. The objective is to call third party endpoints as similar as possible to how Vyou would be called.

Calling Vyou endpoints

• Imagine that Vyou backend url is https://vyou.backend.com.
• Call one Vyou endpoint: https://vyou.backend.com/api/v1/customer
  • Option 1:
    • Headers: Authorization: Bearer <ACCESS_TOKEN>
  • Option 2: using vyou first-party cookies.

For more detailed explanation of how authorize and call vyou endpoints, see Authorization section

Calling third-party backend client endpoints using Api-gateway feature

Imagine that third-party backend exists and someone wants to call this backend in a secure way.

• For example, someone wants to call https://thirdparty.backend.com/api/v1/invoice.

  • Using api-gateway, someone can call it using this url: https://vyou.backend.com/_/api/v1/invoice (sending Authorization headers or cookies). That's all.

  WARNING

  Note the use of the '_' char in url

  • This gateway validates token or cookies in Vyou and then calls to proper url third-party backend with X-VYou-Token header that contains Vyou Id-Token.
  • If token or cookies are invalid, X-Vyou-Token header is not sent.

Once third-party endpoint is called, client's backend has to validate the X-Vyou-Token header with following rules:

• If X-Vyou-Token is not sent and endpoint is public, execute endpoint without problems.
• If 'X-Vyou-Token` is not sent and endpoint requires authorizarion, return 401.
• If X-Vyou-Token is sent but is invalid, return 403.
• If X-Vyou-Token is sent and is valid, execute endpoint without problems.

One of the features of the Vyou Server SDK is just validate this token.