Introduction
This article provides answers to frequently asked API security-related questions.
Tip: For a quick API onboarding guide, refer to API - Onboarding. For onboarding topics, refer to API - General topics FAQ.
Frequently asked questions
How do you authenticate API requests?
The API uses two authentication factors:
- A JSON Web Token (JWT) is created with an OAuth2 flow using a client-id and a client-secret. This JWT token needs to be added to the authentication header of every API request (bearer schema).
- The subscription key from the developer portal must be added to the
Ocp-Apim-Subscription-Key
header of every API request.
We will provide samples of requests on how to authenticate to the API upon request.
Do you use API allow-listing?
No, allowlists (whitelists) are not used. Due to the dynamic cloud environments and rapidly changing IP addresses, we no longer offer this option.
Do you use SFTP?
We can setup an SFTP environment for secure data exchange if necessary.
Info: SFTP (SSH File Transfer Protocol or Secure File Transfer Protocol) is a networking protocol that enables file transfer, access, and management over a reliable data stream. It ensures the data's security using encryption and cryptographic hash functions and verifies the server and user's identity.
Do you store customers' data?
No. We do not store anything sent to the API. Data is stored until fetched using the /jobs
endpoint.
For detailed information, view Protecting customer data on the Location Risk Intelligence Platform.
Do you store our location data?
No. For detailed information, view Protecting customer data on the Location Risk Intelligence Platform.
Do you have a sandbox environment for development and testing?
A dedicated sandbox environment is not provided. Instead, customers can ask for two sets of API credentials for:
- Development, testing, or staging use (pre-production environments).
- Production use.
What is the encryption standard followed by Munich Re on API endpoints?
Only TLS 1.2 is enabled on the APIM instance; older protocols are disabled.
Note: Azure APIM currently supports TLS 1.2 at most: Manage protocols and ciphers in Azure API Management | Microsoft Learn.
Would it be possible to have two separate subscription keys?
There is only one subscription and only one subscription key for all environments. The customer creates this key in the developers portal.
The service provider issues the API accounts, including the client-id and client-secret. Access differentiation is based solely on the client-id.