Sender
The BaRS standard uses an application-restricted security model and security pattern as opposed to a user-restricted security model. This means the application is authenticated as opposed to the end-user using it. The high level steps for a sending application are defined below:
- The end user launches the calling application
- Time passes, until the user needs to interact with BaRS
- The calling application generates and signs a JWT, using its own private key
- The calling application calls our OAuth 2.0 token endpoint with the signed JWT. In particular, this uses the OAuth 2.0 client credentials flow
- We check the signature against the application's public key and, if valid, return an access token to the calling application
- The calling application calls the BaRS API, including the access token
- The BaRS API allows the interaction should the access token be valid