Security Concept

Your Selfbits REST-API is secured by multiple access barriers:

  1. REST-API is only accessible via secure HTTPS communication
  2. REST-API is only accessible by your authorized clients using either
    • sb-app-id (public key) and sb-app-secret (private key) for desktop applications, hidden server code access or mobile apps
    • sb-app-id (public key) and an allowed request origin (defined by the developer) for web applications hosted at the allowed origin
  3. REST-API (except login and signup) is only accessible by authenticated users sending a valid JWT token-based Authorization header
  4. REST-API resources are secured by a role based access management that authorizes the authenticated user to access or update certain resources

If you created a Selfbits project myproject and you want to login as a preexisting user to fetch this user's profile, the terminal commands could look like this:

Login to authenticate user and get an access token

$ echo '{"email": "", "password": "secretpassword"}' | curl -i -d @- \
    -H "Accept: application/json" -H "Content-Type: application/json" \
    -H "sb-app-id: my_project_specific_app_id"  \
    -H "sb-app-secret: my_project_specific_app_secret"  \
    -X POST

Your response should look similar to this:

    "token": "my.secret.token",
    "userId": "user1234"

Fetch the current user's profile, a command line request with curl

$ curl -i \
    -H "Accept: application/json" -H "Content-Type: application/json" \
    -H "Authorization: Bearer my.secret.token"  \
    -H "sb-app-id: my_project_specific_app_id"  \
    -H "sb-app-secret: my_project_specific_app_secret"  \
    -X GET


The profile response of this user may look like this:

    "_id": "57604c0b0198432d2c0b9d8b",
    "role": "user",
    "ownerId": null,
    "providers": [],
    "devices": [
            "uuid": "myuniquedeviceuuid",
            "platform": "Android",
            "model": "5.0.1",
            "serial": "xyz",
            "verified": true,
            "notificationActivated": true
    "picture": null,
    "displayName": "Mr. Web",
    "emails": [
            "email": "",
            "primary": true,
            "verified": true
    "accountState": {
        "enabled": true,
        "expired": false
    "__updatedAt": "2016-06-17T11:18:39.637Z",
    "__createdAt": "2016-06-14T18:25:15.000Z",
    "__v": 3