Bold360 and BoldChat Developer Center

Security considerations

Agent, customer, server and API calls must be authenticated with either a token or a token and a full signature, depending on your implementation to ensure that you are connected to an authorized user or server.

Important: Authentication tokens are valid for 5 minutes.

The Bold360 API only sends data to endpoints with proper SSL certificate configuration. To protect sensitive information, only HTTPS requests are accepted. The endpoint URL must be a fully qualified domain name (FQDN). IP addresses will not work.

Simple Authentication (Token Only)

Simple authentication is performed using an authentication token parameter, which is the most common authentication method. The token is a string in the following format:
[Account ID]:[API Setting ID]:[Timestamp]:[Hashed authentication code]
The authorization parameter should be passed in the auth parameter.
  • Account ID: Your Bold360 account ID
  • API Settings ID: Generated when you create the API key
  • API key: The auto-generated API key for a specific API Settings ID.
    Remember: Save this key when you create an API setting key. For security reasons, the key will be obfuscated once a new setting is created. See also Set up your account to work with the API.
  • Timestamp: The number of milliseconds since 1970-01-01 00:00:00 UTC (Unix epoch time)
  • Hashed authentication code: SHA-512 hex-encoded hash of [Account ID]:[API Setting ID]:[Timestamp][API Key]

When you use the interactive page, the hashed auth parameter is automatically created for you.

Sample URL 
Parameter Type Required Description
auth string yes Authentication token

Signed Authorization (Optional)

Signed authentication is performed using a hashless authentication token and a signed parameter.

Important: The signed parameter should incorporate all signed fields, including signed and auth, separated by a URL-encoded ampersand character (%26).
The call string consists of the method name, followed by a question mark, the URL-encoded key-value pairs, the authentication token and the secret key. The SHA-512-encoded hash is used for the signature.
Important: URL-encoded characters in the URL string must be uppercase (for example %3A for the colon character). Note that the C# HttpUtility.UrlEncode method produces lowercase characters.

Sample URL
Parameter Type Required Description
auth string yes Authentication token
signed string yes URL-encoded, ampersand-separated list of signed parameters
signature string yes SHA-512 hex-encoded hash of the signed data
unsigned string no When present, parameters not included in either the signed or unsigned parameters are ignored