How to get access to the secured data?

Before reading this article please read Data domain first.

Besides every cash register must be authenticated by it’s API key, the srv4pos must know CashRegisterName and ProductionNumber of every cash register to confirm the legalization of your actions. Also, if agreed, srv4pos support team might represent your company for officials.

Therefore the procedure of getting API key supposes you send a little information about your cash register to srv4pos.

The following picture illustrates it.

You exectute POST /activations-advanced (or ActivationSerivice#create(…) ) and pass

• CashRegisterName – it has to be created by user
• DeviceId
• Period (validFrom-validTo) for API key validation, maximum one year, it must be straight at midnight in UTC
• CorporateId of the company that will use the cash register
• Identifier of a software that is called ApplicationPackage
• And some other auxiliary fields

And as a response you get

• Automatically generated ProductionNumber
• APIkey!

So now you can pass it to Authorization header or to ActivationCredentials so that srv4pos can authenticate and authorize you!

I got 403, what’s the problem?

Sometimes server cant authorize you because because Tax Authority must be notified about the registration of the cash register, but it wasn’t!

This is a manual process. Admin will notify Tax Authority, then he approves your request.

To check the latest status, if it’s approved or not, you may use /auth/handshake or handshake (…) (or any other) method.

Another problem of 403 might be that your API key is out of date. Please study the error (java) carefully. In this case you need to rerequest a new key. In this case there is no reason to send so many data as before. Here (java) is an example of how you might pass less amount of data.

Protection against malware usage at customer site

If your POS software is signed by the certificate which is signed by trusted CA (e.g. app from Google Play) but database may be accessed by 3rd party and modified, you may use a special data structure srv4pos provides for you. It is called ActivationDescriptor. It contains all the fields regarding your activation and you can put some additional information. srv4pos also provides you a digital signature of ActivationDescriptor. Assuming you have a public key inside your codebase, which is signed by digital certificate, 3rd party can’t modify it without breaking application signature. ActivationDescriptor and it’s signature can be placed to the database. ActivationDescriptor and it’s signature is returned by the server via /activations/activation-code or getActivationCode(…). Assuming Activation expires, and setting an expiration date is up to you, this feature gives you a great opportunity to protect licensing information for you POS software.