Skip to content

Accepting connections from Settle

Important

Your API must be exposed the internet.

Settle no longer uses VPN for securing communication for new integrations.

In this scenario, the Client Service is a Settle service and the API Server is your API server.

Settle will provide you with one service account email for each Settle service that needs to access your server. You must register the email in your system. Typically, there will be a single Settle service that will need to be registered.

When connecting to your API server, Settle will transmit the token as part of the request headers in the Authorization: Bearer <TOKEN> form.

You will use a GCP Auth Server to verify the token included in the request is valid. Then you will verify that the decoded token contents contain the Settle service account email and the endpoint URL as the audience.

To perform the verifications you need to implement code in your API server. This effort should be minimal if you use the appropriate Google client library.

We have included links for several languages in the Reference section.

Sample server implementation in PythonΒΆ

Todo

Description

from typing import Optional

import google.oauth2.id_token
import google.auth.transport.requests


# The service account email is generated by Google Cloud
#  using the project id and the service account name:
# SA_EMAIL = f"{SA_NAME}@{PROJECT_ID}.iam.gserviceaccount.com"
# For example:
# PROJECT_ID = "microcorp-project42-sandbox"
# SA_NAME = "external-auth"
# SA_EMAIL = "external-auth@microcorp-project42-sandbox.iam.gserviceaccount.com"
#
# If you're using Google Cloud, you can use the service account attached
# to the service that is sending the request.


def verify_id_token(token: str, sa_email: str, audience: Optional[str] = None) -> bool:
    request = google.auth.transport.requests.Request()
    try:
        id_info = google.oauth2.id_token.verify_oauth2_token(
            token,
            request,
            audience=audience
        )
    except ValueError:
        print("Unable to verify token.")

        return False

    print("Token in decoded form, verified with aud:", id_info, sep="\n")

    return id_info["email"] == sa_email
Back to top