Merge pull request #2037 from matrix-org/travis/1.0/appservice-hs-token

Clarify how homeservers are meant to auth themselves to appservices
pull/2046/head
Travis Ralston 6 years ago committed by GitHub
commit 76829ad988
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1 @@
Add missing definition for how appservices verify requests came from a homeserver.

@ -187,6 +187,15 @@ An example registration file for an IRC-bridging application service is below:
Homeserver -> Application Service API Homeserver -> Application Service API
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Authorization
+++++++++++++
Homeservers MUST include a query parameter named ``access_token`` containing the
``hs_token`` from the application service's registration when making requests to
the application service. Application services MUST verify the provided ``access_token``
matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error
if it does not match.
Legacy routes Legacy routes
+++++++++++++ +++++++++++++

Loading…
Cancel
Save