All request to GTM are under authentication management. The authentication is done by the Geoconcept gateway (https://app.geoconcept.com)
Before accessing to GTM, you need to get an authentication token given by the gateway. For that you need to call the gateway (https://app.geoconcept.com/token). the follownig parameters are mandatory :
- appkey: an application key
- apptoken: an application token
These credentials are given by Geoconcept. Each couple key/token is dedicated to a user and is linked with the user lisenses and rights on services and applications.
Query example :
https://app.geoconcept.com/token?appkey=KEY&apptoken=TOKEN
The response is a JSON object which contains the following fields:
- status : the status of the request (OK or ERROR)
- result : the authentication token
Response example:
{
"status":"OK",
"result":"esEfh8uH7J0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.dfdsfdsgvl56kjcjsqkdjzkqhjhgrza24FDghHUF0"
}
The authentication token will be used in each request during the server to server communication and for initializing the IFrame injection.
The two ways to pass the token are :
- as HTTP header : the name of the header is "Authorization". The value is like this pattern "Bearer AUTH_TOKEN", with AUTH_TOKEN, the retrieved authentication token. This way is used for WS calls (POST or GET)
- as Parameter : the name of the parameter is "token" and the value is the retrieved authentication token. This way in all request, even if the header way is recommended. It is mandatory for IFrame injection
Using the injection protocol, the last request will send you a session token, used for IFrame injection to retrieve the GTM context injected.
The IFrame injection must have at least 2 parameters :
- token : the authentication token as describe before (token=AUTH_TOKEN).
- gcTempToken : the session token, from the session token retrieve from the last injection request (gcTempToken=SESSION_TOKEN).
The pattern of the request is:
https://app.geoconcept.com/gtm/gtmintegrationauth?gcTempToken=SESSION_TOKEN&token=TOKEN
After that, a session cookie will be used to manage the security. This cookie is automatically managed by the application.
The following diagram describe the authentication and security process.
