Introduction
OEM & Bulk Provisioning
Authentication
The REST-API and GraphQL API require authentication for requests. remote.it authentication uses HTTP Request Signature. The advantages of this method are:
- Keys do not expire
- Keys can be disabled and revoked (deleted) by the user at any time
- Keys are not dependent on password
- Keys are more secure (the secret is never transmitted because the request is signed)
With 2FA enabled, you'll need to provide an authentication code when accessing remote.it through your browser, desktop and mobile apps. If you access remote.it using other methods, such as the API or the CLI, you'll need to sign in with credentials using and access key and secret.
Key Management
You can generate, enable, disable and delete keys in the Account section of the web portal here https://app.remote.it. Screen shot is provided below.
Please note: Generation of keys is crypto-random and the secret is only available immediately after creation by clicking the “Show secret access key” link or downloading the key as a CSV file (containing the Access Key ID and Secret Access Key)
You are limited to 2 active access keys. The account page will also show when the key was created and last used for authentication. If you suspect your key has been compromised, generate a new one, replace it in your code and disable. If desired you can delete the compromised key after disabling it.
In addition, if you will be using the REST-API you will also need to retrieve your Developer API Key. This can also be found in the Account section of the web portal.
Create a remote.it Credentials File
You will need to follow the steps above with Key Management to generate your access key and secret before proceeding
Create the following file to save all your remote.it credentials. The file must located be in ~/.remoteit/credentials (in your home directory). For windows, the directory is C:\Users<name>.remoteit\credentials with no extension.
The file is in the standard ini file format:
1
[default]
2
R3_ACCESS_KEY_ID=Z5QCS6ZO7PXXXMVDNXXX
3
R3_SECRET_ACCESS_KEY=XXXWC14Qsktnq/nbF+iXxXq2yc4sVPkQn3J0m5i
4
R3_DEVELOPER_API_KEY=XXXXXXX
Copied!
You can save more than one key pair under different profiles (sections) in the remote.it credentials file. Profile names are case-insensitive, cannot contain a period (.) and default is the default profile name.
API Request Signing
Timezones
Request signing is done for each request independently and is sensitive to clock drift based on the system time of the machine making the API call.
Best practice is to use UTC or GMT when using the signature methods to avoid ambigous time zones when dates are generated by your code.
To authenticate an API request, the client must generate a signature using the previously created key and secret. The REST-API example you will also need your Developer API Key which you can get from your account page https://app.remote.it/#account
Examples
These are examples of query requests only for the purposes of how to do the request signing. Please refer to the schema and usage documentation for requests which are supported.
bash/cURL
Node
Python 3
C#
Other Languages
The examples reads the ~/.remoteit/credentials file for the variables of your access key, secret, and developer key.
GraphQL
1
#!/bin/bash
2
source ~/.remoteit/credentials
3
4
SECRET=`echo ${R3_SECRET_ACCESS_KEY} | base64 --decode`
5
6
HOST="api.remote.it"
7
URL_PATH="graphql/v1"
8
URL="https://{$HOST}/{$URL_PATH}"
9
10
VERB="POST"
11
12
CONTENT_TYPE="application/json"
13
14
LC_VERB=`echo "${VERB}" | tr '[:upper:]' '[:lower:]'`
15
16
DATE=$(LANG=en_US date -u "+%a, %d %b %Y %H:%M:%S %Z")
17
18
DATA='{ "query": "{ login { email devices (size: 1000, from: 0) { items { id name services { id name} } } } }" }'
19
20
CONTENT_LENGTH=${#DATA}
21
22
SIGNING_STRING="(request-target): ${LC_VERB} /${URL_PATH}
23
host: ${HOST}
24
date: ${DATE}
25
content-type: ${CONTENT_TYPE}
26
content-length: ${CONTENT_LENGTH}"
27
28
echo ${SIGNING_STRING}
29
30
SIGNATURE=`echo -n "${SIGNING_STRING}" | openssl dgst -binary -sha256 -hmac "${SECRET}" | base64`
31
32
SIGNATURE_HEADER="Signature keyId=\"${R3_ACCESS_KEY_ID}\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date content-type content-length\",signature=\"${SIGNATURE}\""
33
34
curl --write-out -v -X ${VERB} -H "Authorization:${SIGNATURE_HEADER}" -H "Date:${DATE}" -H "Content-Type:${CONTENT_TYPE}" ${URL} -d "${DATA}" --insecure
Copied!
REST-API
Please note, that you need the DEVELOPER API KEY in addition to the access key and access key secret. This example is for the purposes of demonstrating the REST-API request signing. For the device list, please use the graphQL API example above.
1
#!/bin/bash
2
source ~/.remoteit/credentials
3
4
SECRET=`echo ${R3_SECRET_ACCESS_KEY} | base64 --decode`
5
6
HOST="api.remote.it"
7
URL_PATH="apv/v27/device/list/all"
8
URL="https://{$HOST}/{$URL_PATH}"
9
10
VERB="GET"
11
12
CONTENT_TYPE="application/json"
13
14
LC_VERB=`echo "${VERB}" | tr '[:upper:]' '[:lower:]'`
15
16
DATE=$(LANG=en_US date "+%a, %d %b %Y %H:%M:%S %Z")
17
DATA=''
18
CONTENT_LENGTH=${#DATA}
19
20
SIGNING_STRING="(request-target): ${LC_VERB} /${URL_PATH}
21
host: ${HOST}
22
date: ${DATE}
23
content-type: ${CONTENT_TYPE}
24
content-length: ${CONTENT_LENGTH}"
25
26
echo ${SIGNING_STRING}
27
28
SIGNATURE=`echo -n "${SIGNING_STRING}" | openssl dgst -binary -sha256 -hmac "${SECRET}" | base64`
29
30
SIGNATURE_HEADER="Signature keyId=\"${R3_ACCESS_KEY_ID}\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date content-type content-length\",signature=\"${SIGNATURE}\""
31
32
curl --write-out -v -X ${VERB} -H "Authorization:${SIGNATURE_HEADER}" -H "DeveloperKey:${R3_DEVELOPER_API_KEY}" -H "Date:${DATE}" -H "Content-Type:${CONTENT_TYPE}" ${URL} --insecure
Copied!
GraphQL
This typescript example shows
- 1.How to retrieve credentials from the remote.it credentials file using a
defaultprofile - 2.Use
http-signatureclient library to Authenticate each request - 3.How to query GraphQL using variables and the
httpslibrary
1
import fs from 'fs'
2
import https from 'https'
3
import os from 'os'
4
import path from 'path'
5
6
import httpSignature from 'http-signature' // npm install http-signature
7
import ini from 'ini' // npm install ini
8
9
const R3_ACCESS_KEY_ID = 'R3_ACCESS_KEY_ID'
10
const R3_SECRET_ACCESS_KEY = 'R3_SECRET_ACCESS_KEY'
11
12
const CREDENTIALS_FILE = '.remoteit/credentials'
13
const DEFAULT_PROFILE = 'default'
14
15
const SIGNATURE_ALGORITHM = 'hmac-sha256'
16
const SIGNED_HEADERS = '(request-target) host date content-type content-length'
17
18
const APPLICATION_JSON = 'application/json'
19
20
const GRAPHQL_HOST = 'api.remote.it'
21
const GRAPHQL_URL = '/graphql/v1'
22
23
function getCredentials(profileName = DEFAULT_PROFILE) {
24
const file = path.resolve(os.homedir(), CREDENTIALS_FILE)
25
26
if (!fs.existsSync(file)) throw new Error(`remote.it credentials file not found: ${file}`)
27
28
const credentials = ini.parse(fs.readFileSync(file, 'utf-8'))
29
30
const profile = Object.entries(credentials).find(([name]) => name.toUpperCase() === profileName.toUpperCase())
31
32
if (!profile) throw new Error(`remote.it profile not found: ${profileName}`)
33
34
const [_, section] = profile
35
36
const keyId = section[R3_ACCESS_KEY_ID]
37
38
if (!keyId) throw new Error(`remote.it credentials missing: ${R3_ACCESS_KEY_ID}`)
39
40
const secret = section[R3_SECRET_ACCESS_KEY]
41
42
if (!secret) throw new Error(`remote.it credentials missing: ${R3_SECRET_ACCESS_KEY}`)
43
44
return {keyId, secret}
45
}
46
47
async function graphql(keyId, secret, query, variables) {
48
const body = JSON.stringify({query, variables})
49
50
const options = {
51
host: GRAPHQL_HOST,
52
port: 443,
53
path: GRAPHQL_URL,
54
method: 'POST',
55
headers: {
56
'Content-Type': APPLICATION_JSON,
57
'Content-Length': body.length
58
},
59
body
60
}
61
62
return new Promise((resolve, reject) => {
63
const request = https.request(options, response => {
64
response.on('data', json => resolve(JSON.parse(json)))
65
})
66
67
httpSignature.sign(request, {
68
keyId,
69
key: Buffer.from(secret, 'base64'),
70
algorithm: SIGNATURE_ALGORITHM,
71
headers: SIGNED_HEADERS.split(/\s+/)
72
})
73
74
request.on('error', error => reject(error))
75
76
request.write(body)
77
request.end()
78
})
79
}
80
81
(async () => {
82
try {
83
const query = 'query TestQuery($id: String!) {' +
84
' login {' +
85
' device(id: [$id]) {' +
86
' name' +
87
' endpoint {' +
88
' timestamp' +
89
' state' +
90
' externalAddress' +
91
' }' +
92
' }' +
93
' }' +
94
'}'
95
96
const variables = {
97
id: '80:00:00:00:01:02:03:04'
98
}
99
100
const {keyId, secret} = getCredentials()
101
102
const result = await graphql(keyId, secret, query, variables)
103
104
console.log(JSON.stringify(result, null, 2))
105
} catch (error) {
106
console.error(error)
107
}
108
})()
Copied!
This example is using a helper library
requests_http_signature==v0.1.0 for Python 3 which will sign the request before submitting it to the server. This demonstrates how to safely reference the key and secret from environment variables rather than including it in the code. You will need to set the environment variables before executing.GraphQL
1
import os
2
import requests
3
import json
4
from requests_http_signature import HTTPSignatureAuth
5
from base64 import b64decode
6
7
key_id = os.environ.get('R3_ACCESS_KEY_ID')
8
key_secret_id = os.environ.get('R3_SECRET_ACCESS_KEY')
9
10
body = {"query": "query { login { id email devices { items { id name }}}}"}
11
host = 'api.remote.it'
12
url_path = '/graphql/v1'
13
content_type_header = 'application/json'
14
content_length_header = str(len(body))
15
16
headers = {
17
'host': host,
18
'path': url_path,
19
'content-type': content_type_header,
20
'content-length': content_length_header,
21
}
22
23
response = requests.post('https://' + host + url_path,
24
json=body,
25
auth=HTTPSignatureAuth(algorithm="hmac-sha256",
26
key=b64decode(key_secret_id),
27
key_id=key_id,
28
headers=[
29
'(request-target)', 'host',
30
'date', 'content-type',
31
'content-length'
32
]),
33
headers=headers)
34
35
if response.status_code == 200:
36
print(response.text)
37
else:
38
print(response.status_code)
Copied!
REST-API
Please note, that you need the DEVELOPER API KEY in addition to the access key and access key secret. This example is for the purposes of demonstrating the REST-API request signing. For the device list, please use the graphQL API example above.
1
import requests
2
from requests_http_signature import HTTPSignatureAuth
3
from base64 import b64decode
4
5
# For more on authentication see https://docs.remote.it/api-reference/authentication
6
key_id = os.environ.get('R3_ACCESS_KEY_ID')
7
key_secret_id = os.environ.get('R3_SECRET_ACCESS_KEY')
8
api_key = os.environ.get('R3_DEVELOPER_API_KEY')
9
10
body = '' #update this with your data if posting with a body
11
host = 'api.remote.it'
12
url_path = '/apv/v27/device/list/all'
13
content_type_header = 'application/json'
14
content_length_header = str(len(body))
15
headers = {
16
'host': host,
17
'content-type': content_type_header,
18
'content-length': content_length_header,
19
'DeveloperKey': api_key
20
}
21
response = requests.get('https://' + host + url_path,
22
auth=HTTPSignatureAuth(algorithm="hmac-sha256",
23
key=b64decode(key_secret_id),
24
key_id=key_id,
25
headers=[
26
'(request-target)', 'host',
27
'date', 'content-type',
28
'content-length'
29
]),
30
headers=headers)
31
32
if response.status_code == 200:
33
print(response.text)
34
else:
35
print(response.status_code)
36
print(response.text)
Copied!
This example is using RestSharp to make the requests, and the built in cryptography library (System.Security.Cryptography) to sign the request. This demonstrates using a configuration manager to safely reference the key and secret from environmental variables rather than including it in the code. You will need to set the environmental variables before executing.
ExecuteRequest requires a string which is your graphQL query body.
graphQL
1
private static readonly RestClient Client = new RestClient("https://api.remote.it/graphql/v1");
2
private static readonly HMACSHA256 SignatureGenerator = new HMACSHA256(Convert.FromBase64String(ConfigurationManager.AppSettings.Get("R3_SECRET_ACCESS_KEY")));
3
4
public static async Task<IRestResponse> ExecuteRequest(string requestContent)
5
{
6
string date = DateTime.UtcNow.ToString("ddd, dd MMM yyy HH':'mm':'ss 'GMT'");
7
8
string signatureParams = "(request-target): post /graphql/v1\n" +
9
"host: api.remote.it\n" +
10
quot;date: {date}\n" +
11
"content-type: application/json\n" +
12
quot;content-length: {requestContent.Length}";
13
string signature = Convert.ToBase64String(SignatureGenerator.ComputeHash(Encoding.UTF8.GetBytes(signatureParams)));
14
15
RestRequest request = new RestRequest(Method.POST);
16
request.AddHeader("Host", "api.remote.it");
17
request.AddHeader("Date", date);
18
request.AddHeader("Content-Type", "application/json");
19
request.AddHeader("Content-Length", requestContent.Length.ToString());
20
request.AddHeader("Authorization",
21
quot;Signature keyId=\"{ConfigurationManager.AppSettings.Get("R3_ACCESS_KEY_ID")}\"," +
22
"algorithm=\"hmac-sha256\"," +
23
"headers=\"(request-target) host date content-type content-length\"," +
24
quot;signature=\"{signature}\"");
25
request.AddParameter("application/json", requestContent, ParameterType.RequestBody);
26
27
var response = await Client.ExecuteAsync(request);
28
return response;
29
}
Copied!
You can reference different standard implementations of the signature in different languages from w3c-ccg https://github.com/w3c-ccg/http-signatures/issues/1
Last modified 6d ago