Post revoked customer

In order to use the API's protected endpoints, a new session MUST be established for the service consumer. To do this, a valid Api-Key in the HTTP request headers together with the data type: session in the JSON request body MUST be sent. Here the API remote service is attacked by trying to sent a revoked Api-Key in the HTTP request headers.

The errors status: 403 is returned from the remote service together with the errors detail: Unknown Api-Key. in the JSON response body.

Request endpoint

POST SERVER:PORT/api/sessions

Response status

201

Request headers

Accept:application/vnd.api+json
Content-Type:application/vnd.api+json
Api-Key:KKKKKKKK-KKKK-KKKK-KKKK-KKKKKKKKKKKK

Response headers

Transfer-Encoding:chunked
Connection:keep-alive
Accept:application/vnd.api+json
Cache-Control:no-cache
Date:Tue, 19 Mar 2024 12:51:56 GMT
Content-Type:application/vnd.api+json
Server:nginx/1.25.4

Request body

{
    "data": {
        "attributes": {
            "note": "A session note"
        },
        "type": "session"
    }
}

Response body

{
    "errors": [
        {
            "status": 403,
            "detail": "Unknown Api-Key.",
            "source": {
                "parameter": "id",
                "pointer": ""
            },
            "title": "Session not established"
        }
    ],
    "links": {
        "self": "/api/sessions"
    }
}

HTTPie example

$ http post SERVER:PORT/api/sessions Accept:application/vnd.api+json Content-Type:application/vnd.api+json Api-Key:KKKKKKKK-KKKK-KKKK-KKKK-KKKKKKKKKKKK << JSON
{
    "data": {
        "attributes": {
            "note": "A session note"
        },
        "type": "session"
    }
}
JSON