TeleSign Introduces REST APIs

Charles McColgan
February 21, 2012

One of the things TeleSign is working on in Q1 is making our APIs available via a REST interface. Today all of our customers access our APIs via SOAP and we've definitely heard that folks want us to provide our APIs in an alternative form since almost all Web Services today use REST.When developing this API we wanted to make sure we were using best practices from a security perspective and that we were developing the API in a way that would be familiar and easy to implement for developers. Unlike SOAP, which has a specific protocol specification around the exchanging of structured information that can be used to create Web Services or other types of services, REST refers to a general software architecture and this architecture can then be used to create web services. In creating a RESTful API the developer then uses things like RFCs and other web standards to create the interface.

When creating the API one of our key goals other than making the API easy to use, extensible and highly performant was to use the very best practices in securing the interface. To be as secure as possible we've implemented HMAC (Hash-based Message Authentication Code) in our auth process to ensure that both communications are properly authenticated and that they can't be manipulated in transit.

To make HMAC work the first thing we do is allow users to share a secret with us. In this case the secret API-Key is generated automatically by TeleSign (to ensure that the key is truly random and not guessable) and then this key is given to the user in our web portal. In the new web portal users will be able to define expiration times for their keys and even be able to generate multiple keys so that they can rotate their keys with us.

The basic way HMAC authentication works is:

  1. The sender and recipient share a secret, for this blog let's just call the secret “The API Key” (an API key is just a randomly generated password like “mRW1Q8xDYTPc423YJs12Aeqk0nPGrtO5“)
  2. The sender when they send their request includes an “Authorization” header with the following attributes:

There are a few advantages to this method:

  1. The secret information is never passed between each party during the transaciton.
  2. Because each party has a copy of the secret key, the sender and recipient are independently able to create the "Authoirzation" token. As long as the token is created in the same way on each side the authorization of the transaction will succeed.
  3. Because the authorization token contains a hash of not only th API Key but the transaction as well, the recipient can be assured that both the transaction is properly authenticated and that it hasn't been modified in transit.

There are two additional items in our HMAC authentication that also offer security to the transaction:

  1. The inclusion of “Date” in the string to sign.
  2. The option of adding a cryptographic nonce to the header.

The advantage of adding a “Date” to the signature string is that it limits the time frame, in which, if somehow a transaction is captured between the sender and recipient that that transaction can be replayed. While all communication between the sender and the recipient will be over SSL, it's always possible that there is some compromise in the sender's infrastructure such that data is captured before it is sent over the SSL channel. In this case the addition of Date allows TeleSign to define a window where we will only accept transactions for a given defined Date within a certain window.

The other thing we do to make sure that transaction can't be replayed is provide the customer the option to include a cryptographic nonce in the transaction. With a nonce included in the hash and passed to us as a header we can store the nonce for a set period of time that is the same as the Date window described above. Using the nonce even if a transaction is captured and the attacker is able to replay that transaction in the Date window, that transaction will only be good once if a nonce is included. If we see a duplicate transaction in a Date window with a duplicate nonce we'll know that the transaction is a bogus one and alarm bells will go off.

To learn more about the use of HMAC you can read a very good article on Wikipedia here or you can read RFC 2104. To learn more about cryptographic nonces you can read more here.

Never miss a thing
Subscribe to our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Insights
SIM swap fraud is on the rise. Are your users protected?

SIM swap attacks are a critical threat. If Jack Dorsey can get his Twitter account hacked – how exposed are your users?

Insights
Building a reliable, cost-effective messaging stack

Learn why creating redundancy in your SMS stack is so important and how to start building a reliable and cost-effective messaging stack.

Insights
The Social and Business Impact of Digital Identity

Digital identification makes a happier, healthier, and safer online experience. But what about the experience when user verification fails to exist?

Insights
SIM Swap Detection: A Key Factor in Fraud Prevention

SIM swapping is essentially phone number theft. SIM swap fraud is still on the rise. Learn how to protect your business from SIM swap attacks.

Insights
How To Stay Risk-Free as a "Buy Now, Pay Later" Provider

Before you decide to let your customers "buy now, pay later" (BNPL), it's important your business reaps its benefits, but how to avoid the risks, too.

Insights
Fight Account Fraud With Phone Number Reputation Scoring

These days 2FA is not enough. It can still leave you vulnerable. Find out how phone number reputation scoring can help you achieve greater security.

Insights
What Is The Most Secure Type of Authentication?

These days 2FA is not enough. It's a great place to start, but it can still leave you vulnerable. Find out what tools you can layer on for greater security.

Insights
5+ Reasons PSD2 Compliance Could Benefit You

Learn more about new piece of financial regulatory policy called Payment Services Directive 2 (PSD2) compliance and how it could benefit your business

Insights
Achieving Strong Customer Authentication for Better Digital Security and PSD2 Compliance

Learn more about how you can achieve strong customer authentication and ensure better digital security and PSD2 compliance for your customers with TeleSign.

Insights
Launching Careers and Creating Opportunity with CS You

Through the CS You program, which aims to provide training and placement opportunities in entry-level Customer Success Roles, we welcomed our newest intern.

Insights
Are You Ready for 10DLC?

Learn about 10-digit long code and how to register and switch to an alternative with TeleSign before your SMS messages get blocked.

Insights
How to Get Started With WhatsApp Business – Five Great Use Cases

Learn more about how you can use WhatsApp Business API for omnichannel communications and how to implement this channel into your business

Insights
How to Excel In The Post-Pandemic Marketplace With Omnichannel Messaging

Learn more about how you can integrate multiple messaging channels with one API. With omnichannel messaging you can engage with your customers

Insights
Rising Promo Abuse Puts iGaming Profits at Risk, but 2FA and Digital Identity Can Protect a Big Pay Day

Leverage 2FA and digital identity signals to protect your iGaming gambling accounts

Insights
Growing Dating Apps Securely

Every day we hear about a new dating app with a unique angle. Learn how dating apps can scale while protecting their users over the entire customer journey.

Insights
The Value of 2FA and Score

Learn how TeleSign's 2FA verification solution uses Score to complement all your account security needs

Insights
Finding New Ways to Reach Customers with an Omnichannel Strategy

What is an omnichannel strategy? Learn more about how to contact your customers where they are, when they want it with a contextual omnichannel strategy.

Insights
Supplier Fraud and the Digital Identity Solution

When it comes to marketplaces, it's not always the customer committing fraud. Learn more about supplier fraud and digital identity solutions in this blog...

Insights
Prime Day, Black Friday and Keeping Shopping Holidays Safe

Check out this blog that speaks more about what should eCommerce platforms be on the lookout for during spikes of activity in times of shopping holidays

Insights
The Value of Programmable Communications (During a Pandemic)

Learn more about how programmable communications help during a quarantine by using SMS messages and Voice calls in applications and websites.

Insights
Super Shopping in Singapore

Learn more about one of Southeast Asia's largest shopping holidays in Singapore and the importance of fraud protection through 2FA and phone-based APIs.

Insights
Get Smart: Protecting Connected Devices

Learn more about how leaving your connected devices unsecured can cause real problems. Many can be a subject to account takeover or other types of frauds...

Insights
No ID: Keeping Online Marketplaces Safe in the Digital World

Learn more about how one pair of roller skates made me rethink digital identity and marketplaces and how to keep safe in all digital ecosystems.

Insights
Why We Link Communication and Digital Identity

Learn about Rich Communication Services (RCS) messaging, what it is, what it can do and how it will affect the future of A2P messaging.

Insights
Score Big with Digital Identity in India

Learn how TeleSign's flagship digital identity solution, Score, can help protect your platform and users in the Indian market.

Insights
RCS Through the E-commerce Funnel

Learn how TeleSign can help e-commerce platforms use RCS to engage users at all points of the customer lifecycle and drive higher revenue.

Insights
Know Your Customers in India

TeleSign is introducing expanded Know Your Customer solutions in India to improve conversion rates, fight fraud and bolster end user communication.

Insights
How Digital Identity Fights Election Fraud

Learn how bots and trolls influence election fraud and how TeleSign uses digital identity to fight back by removing fake accounts from social platforms.

Insights
Number Masking for an Anonymous Communication Experience

Learn how TeleSign's Number Masking solution can provide an anonymous communication experience, protecting the privacy of your employees and customers.

Insights
Protecting Transactions from Chargeback Fraud

Learn how TeleSign protects purchases at the transaction level with digital identity, preventing payment frauds such as chargeback fraud.

Insights
How TeleSign Protects Transactions from SIM Swap Fraud

Learn how TeleSign uses sophisticated mobile identity solutions to protect your users from account takeover and SIM Swap attacks.

Insights
3 Ways to Protect E-Commerce Transactions During Covid-19

Learn all of the ways that TeleSign uses digital identity to protect your transactions with the heightened internet activity associated with Covid-19.

Insights
Using Phone Numbers in Fraud Prediction Models

TeleSign analyzes phone numbers in fraud prediction models

Insights
USE CASE: How to Reduce Fake Accounts with Digital Identity

Leveraging both 2FA and digital identity to reduce fake accounts on your platform, leading to a much safer ecosystem for your real users.

Insights
Mobile App Onboarding Guide: Increase Account Registrations

Looking to increase mobile app registrations? Learn how to improve your registration conversion rate with Telesign's mobile app onboarding e-book.

Insights
Upgrade from Facebook Account Kit to TeleSign

Facebook Account Kit has been deprecated, learn how to upgrade to TeleSign SMS Verify for your verification needs.

Insights
What's Your Number?

With TeleSign's Phone Numbers API companies can purchase shared or dedicated phone numbers to create a trusted line of communication with their customers.

Insights
Scam Likely: Why Your Business Needs Caller ID Management

Caller ID Management allows brands to control the caller ID displayed in communication with their end users.

Insights
SIM Swap: The Gateway Hack

TeleSign to offer SIM Swap protection in US, Canada, UK, Nigeria, South Africa, France and Australia.

Insights
RCS Use Cases

Learn how RCS can drive engagement with your end users by discovering all of the fun use cases for RCS.

Insights
What is RCS and What Does it Mean for the Future of A2P Messaging?

Learn about Rich Communication Services (RCS) messaging, what it is, what it can do and how it will affect the future of A2P messaging.

Insights
SIM SWAP: The Ultimate Con

SIM Swap is a type of account takeover that can be tough to stop unless you rely on carrier data attributes, learn about SIM Swap and how TeleSign stops it.

Insights
TeleSign and RapidAPI: A Match Made in Heaven

TeleSign partners with RapidAPI. Learn more about the partnership and which TeleSIgn APIs are currently available for authentication and user management.

Insights
Stop Account Takeover Using Two Factor Authentication

Learn more about how using 2FA can prevent most forms of account takeover and how you can protect and authenticate your customers with TeleSign solutions.

Insights
12 Awesome Features on TeleSign's Voice API

Learn about the 12 new features of TeleSign's Voice API

Insights
7 IVR Use Cases for Banks

Learn the 7 ways banks can use interactive voice response (IVR) to increase customer engagement through different types of automated notifications

Insights
Verify COD Orders With Interactive Voice Response (IVR)

Learn more about internet retailers can save money by verifying Cash on delivery (COD) orders with IVR on TeleSign Voice.

Insights
Two-way Anonymous Calling API - TeleSign Voice

TeleSign provides 2-way anonymous calling APIs & app solutions to protect the privacy of users on your platform.

Insights
IRSF Fraud and the Troll Toll: How It Can Cost You

IRSF fraud can cost your business hundreds of thousands of dollars over time. Learn how to prevent it using TeleSign Score.

Insights
Wake Up With SMS Messages Powered by TeleSign and Microsoft Flow

TeleSign can send you automated SMS messages powered by Microsoft flow

Insights
TeleSign Co-Founder Named to OWI Top 100 Influencers in Identity

OWI is a market intelligence and strategy firm focused on identity, trust and the data economy. TeleSign co-founder named top 100 influencers in identity

Insights
Master Class: Stacy Stubblefield Teaches the Power of Mobile Identity

Stacy is a digital entrepreneur, security expert, and the Co-Founder of TeleSign. She teaches her free master class on the power of mobile identity

Insights
How Do We Detect a Number From a SIM Farm? There's an API for That!

Check out TeleSign blog series! In this one you can learn more about how TeleSign APIs can protect your users from the SIM farm scam that is on the rise

Insights
How To: Build Your Own SMS Doorbell

If you are looking for a fun way to get acquainted with TeleSign's SMS API, check out our step by step instructions on how to build a handy SMS doorbell.

Insights
How Do We Detect Shady Phone Numbers? There's an API for That!

Learn more about how you can start using TeleSIgn APIs to detect shady phone numbers used by fraudsters and how to fight back with TeleSign Score.

Insights
Remember: Only You Can Prevent SIM Swap Fraud

Knowing when a user activated their current SIM card (or last ported their number) could stop this attack.

Insights
How Do We Detect Anonymous VOIP Numbers? There's an API for That!

In the series of blog posts There's an API for that, TeleSign discusses APIs that can detect anonymous VOIP numbers that could put you in danger. Learn more

Insights
How Do We Verify Phone Numbers? There's an API for That!

Learn more about all the ways TeleSign's APIs can help your business combat fraud and engage customers and how you can prevent fake accounts.

Insights
Field of Dreams: A New Frontier of SMS and Voice Marketing

Learn more about how TeleSign provides SMS and Voice marketing capabilities surrounding for sporting events through different types of notifications

Insights
Send SMS Messages Powered By TeleSign Directly from Microsoft Flow

TeleSign's SMS API services are now available as a Microsoft Flow Connector, a cloud-based software tool that allows users to create & automate workflows...

Insights
Burning Down the House: How Prepaid Phones Are Dominating Fraud

The quarterly RSA fraud report validated what we've long warned customers about at TeleSign; burner phones are heavily linked to fraudulent transactions

Insights
Using Microsoft Dynamics 365 for Marketing? Try Our SMS App!

More businesses are interested in connecting with their customers through SMS marketing and TeleSign & Microsoft Dynamics 365 for marketing make it easy.

Insights
Talabat Places an Order for Fraud Protection with TeleSign

TeleSign implemented two factor SMS authentication for Talabat which simultaneously fixed both of their problems. Talabat is now reporting reduced fraud.

Insights
Mobile App User Verification Made Even Easier

How can businesses verify users and block fraud, without incurring significant operational costs or causing too much friction for good users?

Insights
Exploring Our Self-Service Customer Portal

Our team is always working on improvements to our self-service customer portal to ensure that creating an account and more is as easy possible as possible

Insights
How to Get Customers to Opt In to Your SMS Services

Customers want to be texted. All your business has to do is design some simple and compliant* ways to get them to opt in to your SMS services.

Insights
How to Use Our SMS API

Check out TeleSign infographic on how to communicate with customers more effectively with our SMS API and provide timely personalized info through SMS

Insights
We've Got Your Number! (Dedicated Sender and/or Caller ID, That Is)

TeleSign offers dedicated, custom Sender and Caller IDs for branded experiences. Learn more!

Insights
How to Use SMS to Communicate & Market to Baby Boomers

If your business caters to baby boomers, adopting an SMS messaging strategy is key to meeting the needs of your customer base.

Insights
Protect Your Voice Traffic From Costly International Revenue Share Fraud

Customers can now address IRSF issues by performing an optional fraud risk Score check before triggering voice transactions.

Insights
The Top 10 Things We're Doing at TeleSign to Comply With the GDPR

Learn about all the things we ate TeleSign are doing in order to be compliant with GDPR. Check out top 10 topics we cover with our GDPR policy

Insights
Connect Your Users, Privately, With Phone-Number-Masked SMS

How do you enable your users to easily communicate with one another through SMS messaging, without providing each with the other's personal phone number?

Insights
How to Use SMS to Increase Visitors to Your Website

If driving visitors to your site is one of your company's main priorities, here are some ways SMS it be used as a powerful tool to help you reach your goal.

Insights
8 Ways to Use SMS to Improve Guest Satisfaction in Hotels

The instant contact and flexibility of SMS messaging allows you to improve your guest experience in a number of ways.

Insights
Using SMS in Crisis Management Communications

Including an SMS communication aspect can help prevent the crisis from worsening and facilitate recovery

Insights
How SMS Notifications Can Take the Stress Out of Flight Delays

Revolutionize your passenger notification system with an SMS messaging API that will increase customer satisfaction across the board.

Insights
7 Ways to Improve Customer Service With SMS Messaging

Implement an SMS messaging system that will strengthen your customer service performance. With TeleSign's APIs you can engage customers with SMS messaging.

Insights
Why Are You Still Letting Bad Users In?

business depends on the acquisition of new & engaged users, preventing fraud at account registration isn't complicated

Insights
SMS Messaging: How Businesses Can Reduce Appointment No-Shows

While people have many reasons to miss an appointment or reservation, one of the most common reasons is that they simply forget.

Insights
Sending an SMS or Voice Message With Node.js

Announcing the release of a Node.js SDK wrapper for TeleSign's APIs. Developers will be able to access Messaging, Voice, PhoneID, App Verify and Score APIs.

Insights
Millennials & Text Messages: Make Them Your OTP

Don't let changing times and technology affect your bottom line. Retaining your largest customer base is possible with quick, simple mobile messaging.

Insights
Long URL Problems? Get Fewer Characters & More Data—Automatically—for Free

Our URL shortening feature enables you to add short, tracked URLs to SMS customer communications. Learn more about the SMS API feature and try it out today!

Insights
Current Trends in Application-to-Person (A2P) Messaging

Learn more about Application to Person (A2P) messaging trends and how businesses use it to reach and engage with customers in a secure way.

Insights
App Verify: Now Offering iOS & Android SDKs for Complete Mobile App Phone Verification Solution

“Our goal is to provide a better experience for our developers and their end users and the new App Verify for iOS SDK delivers on both aspects.”

Insights
13 Times Customers Super Appreciate Being Sent an SMS

Customers love to see these types of text messages pop up, and we've learned that the following types of messages are among those that perform best.

Insights
Taking on the $8B Communications Platform as a Service Market

Developers can now sign up with TeleSign for a free trial, get API credentials along with $5 in free credits and start using TeleSign APIs.

Insights
How the Turing Test Impacts Cybercrime & Cybersecurity

2014's The Imitation Game, portrays mathematician Alan Turing's mastery over the “unbreakable” German code, Enigma, during World War II...

Insights
How-to: Using TeleSign to Reduce Fake Accounts

This tutorial provides a best-practice approach to reducing fake accounts that is recommended by TeleSign's experienced team of security professionals.

Insights
10 Best Practice UI Tips for Phone Verifying End-Users

To help ensure the best overall user experience—one that promotes general security awareness and can ultimately increase end-user adoption and conversion...

Insights
CAPTCHA Codes: Are They the Best Fraud Prevention Solution for Your Business?

In terms of security and user experience, captcha codes are probably not the best option. Learn about the alternative and how you can prevent fraud.

Insights
In Support of 2FA: Why NIST's Recommendation Is a Step in the Wrong Direction

Security is constantly evolving. The password must die and be replaced by stronger, more secure methods of online accounts. To date, SMS OTP remains ...

Insights
Better Together: Score and Verify With TeleSign

Use TeleSign's verification products in conjunction with Score, and implement the most advanced and reliable end-user account security solution on the marke

Insights
Are Passwords Leaving You and Your Users Vulnerable? It's Time to Embrace “The Future of Account Security”

What new types of security are in-house security professionals looking at to help increase end-user account security for their companies?

Insights
Coupon & Promo Abuse: Stop Users From Taking You for a Ride

Coupon and promo codes are a proven method of attracting new business. But businesses should be on the lookout for users attempting to exploit these effort

Insights
Is Your Business Impacted by IRSF Attacks? We Can Help

We've kept a close eye on IRSF attacks an have developed best-practice recommendations to help customers put the products and processes in place to fight it

Insights
The Cost-Effective Way to Verify Users and Increase Security

Learn how TeleSign can help your business combat the rising costs of SMS, while offering a secure end-user experience. Read more!

Insights
Number Deactivation and the Recycled Phone Number Dilemma

Learn how phone number deactivation and recycling can impact fraud prevention and increase risk for the integrity of the end-user account.

Insights
8 Ways Phone Verification Will Help Your Web or Mobile App

Learn how your business can benefit from using phone verification and protect your users and your business with TeleSign solutions.

Insights
App Verify: Simple & Secure Mobile App Verification

To address the growing need for increased security around mobile app user registrations, TeleSign has launched Auto Verify.

Insights
Common Questions About Two-Factor Authentication

To help make the Internet a safer place for all we decided to jump in and answer some frequently asked questions about 2FA.

Ready to deliver
a trusted experience?

We’re ready to help you:
✓ Streamline & secure onboarding
✓ Reach your customers on the channels they trust
✓ Safeguard your customers’ accounts
✓ Establish comprehensive fraud protection

Products
ScorePhoneIDSMSVoiceVerificationRCSMessaging APIWhatsApp APIPhone NumbersNumber MaskingViber
Solutions
OnboardingFraud PreventionAccount IntegrityEngagement
Resources
BlogEventsDeveloperLearnCustomersSupportPartners →
Social
Company
AboutCareersPressContact
Newsletter
© 2021 TeleSign / Terms & Conditions / Privacy Notice / Privacy Whitepaper