PrizmDoc Cloud requires the API Key for authentication. The API Key is passed as a clear text. If an advanced user goes to the browser developer tool, he/she will get hold of the API key easily and able to create the PrizmDoc viewer session. This may lead to heavy unintended transaction usage Will it possible to do a two pass authentication? For example, at application end to encrypt the key at rest and then pass to PrizmDoc Cloud where PrizmDoc will have something like a secret key to decrypt and then authenticate to PrizmDoc cloud.
The other option is to authenticate PrizmDoc Cloud through SSO (SAML authentication to Azure AD) with logged in user context.
Please not that there is no issue with passing the PAI key at transit as the connection is SSL.
Typically customers host the client files for the viewer and then route requests through a local proxy so the api key will not be exposed to the general public.
We have examples of how this is generally setup here:
Our APIs are stateless so we don't really have the notion of a "user" so the idea of SSO isn't really a concept we currently support.
Attachments Open full size