What is a WSKey?
Web service keys, commonly referred to as WSKeys, are the primary method used for authenticating and authorizing interactions with web services available on the OCLC WorldShare Platform. WSKeys authenticate clients sending requests to web services, in effect, creating a “secure pipe” between a remote client and the data and functionality available on the Platform.
Web service keys typically have a secret associated with them. This secret is exactly that, a string which is only known to the client consuming the Platform and the Platform. Some methods of authenticating client require the use of both the WSKey and its secret to verify the identity of the client.
A WSKey can have one more more web service associated with it. To use a particular WSKey with a particular web service, that key must have that web service associated with it. Additionally, often WSKey limit access to a particular institution(s) data. For example: a WSKey associated with University of Wisconsin Madison and the WorldCat Knowledge base can only access University of Wisconsin Madison's WorldCat Knowledge base data. Typically a WSKey only has access to data for a specific institution. However, some WSKeys can access data for multiple institutions.
The Platform uses several patterns to authenticate clients. The mechanism used by each specific service is based on the data contained in the web service and the operations which clients are performing. Simple read web service which contain no personally identifiable information use a simple mechanism for authenticating clients. Web services which perform write operations, contain personally identifiable information or financial data use stricter authentication mechanisms.
Primarily WSKeys are used in three patterns to authenticate clients:
- WSKey Lite - the client just passes the WSKey string
- HMAC Signature - the client uses the key and secret to create a signature for their request and passes that signature in an Authorization header
- Access Tokens - the client uses the key to request a time limited token for making requests against specific services.
Requests for Production WSKeys must go through a validation process to verify the requestor's standing in relation to either their organization or the data they want to access, or both.
To request a WSKey for a particular web service or view existing WSKey information, login to Service Configuration. Have questions about requesting a WSKey? Check out our How to Request a WSKey documentation.
Finally, if you are a developer with WSKeys already assigned, you can conveniently view a list of all of your WSKeys and their parameters from WSKey Management.