Zum Inhalt

BlueID Environments

BlueID Environments

Information für Entwickler / Information for Developer

Overview

BlueID's backend services are split in the modern and highlevel Access as a Service (ACaaS) layer and the lowlevel pseundonym based Identity as a Service (IDaaS) layer.

BlueID - Access as a Service (ACaaS)

The primary and modern API is BlueID ACaaS GUI and API. It provides extended management capapbilites including the usage of real names for user, locks, management of groups and the status of locks.

Endpoints
Service URL
ACaaS GUI https://access.blueid.net
ACaaS API https://ac-api.ac-prod.blueid.net/v1/doc
ACaaS API description https://ac-api.ac-prod.blueid.net/v1/doc
ACaaS API Readme https://ac-api.ac-prod.blueid.net/v1/openapi/introduction.html

For all new integrations this BlueID ACaaS API is recommended. Since it is easier to integrate and it works perfectly with the BlueID Keys as well as BlueID Lockadmin App.

BlueID - Identity as a Service (IDaaS)

The former API is technically one layer below ACaaS, the BlueID IDaaS API. IDaaS provided the security layer also for ACaaS. All token creations, also executed by the ACaaS API, are handled by IDaaS as well. The IDaaS API is not recommended for normal integrations, since it requires a lot more knowledge and more processes to be implemented. The API can be used on request for e.g. debugging and other low level operations. Credentials are provided on specific request only. The API used for the management of credentials by the operator / higher systems is called Operator API.

IDaaS provides two services:

  • BlueID Operator API is used as integration endpoint for customer backend services to e.g. manage BlueID Tokens, Smartphones (Mobile Devices) and Locks (Secured Objects)
  • BlueID Device API is used BlueID internally to e.g. sync BlueID Enabled Smartphone apps and Locks
Endpoints - Production environment (PROD)

The Production environment is for productive use in your end user application. All applications of productive grade have to use this API and Standard SLA is assured for this infrastructure only.

Service URL
IDaaS PROD - Operator API https://operatorapi-prod.blueid.net/operatorapi
IDaaS PROD - API description https://operatorapi-prod.blueid.net/operatorapi/apidocs/index.html
IDaaS PROD - Device API https://deviceapi-prod.blueid.net/deviceapi
Endpoints - Integration environment (INT)

Releases are rolled out on the Integration environment first to perform tests of the changes against exisitng integrations. Access to Integration environment is granted to customers on specific request only.

Service URL
IDaaS INT - Operator API https://operatorapi-int.blueid.net/operatorapi
IDaaS INT - API description https://operatorapi-int.blueid.net/operatorapi/apidocs/index.html
IDaaS INT - Device API https://deviceapi-int.blueid.net/deviceapi
Separation

Every component which uses one environment cannot be used from any other environment (PROD / INT) and vice versa. This means that each component is initialized for exactly one environment. An API key is only valid for one specific environment.

Devices that belong to one environment cannot be used in any other environment! If you want to upgrade your application to use the production BlueID Trust Center, you either have to remove and reinstall the application or call destroy() before reinitializing it!

Each environment has two services: The BlueID Device API, which smartphone apps and Lock Servers communicate with, and the BlueID Operator API, which is for BlueID Token and device management.

Certificate Pinning

It is a good idea to use a technology called certificate pinning. Compare OWASP on this subject.

Since we moved the BlueID Trusted Services to the AWS Cloud infrastructure, it's recommended not to pin directly to our certificates but to pin the Amazon Root Certificate. By doing this, you avoid running into problems when our certificates get renewed and you still gain the security advantage of not being exposed to a broken CA taking over your connections.