The authentication is handled by FSI Server itself to be independent of the application server and allow a more flexible user management. In order to authenticate itself a client application must be able to handle cookies. If it has received a cookie from the server, this cookie must be sent with every following request to the server.

Two requests are necessary to authenticate the client application. The first is a GET request addressed at the Login URL:


This returns a JSON or an XML response. If the server is not ready to authenticate users, the response will contain an error message describing the problem. If the server is ready the response will describe how the password needs to be submitted to the FSI Server as a value for loginmethod. By default the value will be hash, stating that a password hash is submitted instead of the password itself. If FSI Server is configured to autheticate against a Kerberos Server though, then the password itself is required by the server. If the login method is stated to be hash, then the response also contains a salt. The exact format of the response and the possible values is described in "SaltResponse". The client application must then use the salt to create a password hash using a SHA-256 algorithm of the form


hash = sha256(salt + sha256(password))


where the plus is the concatenation of two strings. The resulting hash or the plain password is then posted to the Login URL as value of a variable called password together with the login name as value of username. The response to this post request will include a state which is either success of failed and a message including details on the failure. In case of success the response will also contain the number of seconds until the valid session will expire. This response is described in "LoginResponse".

If an inactive client application wants to extend the session without performing any actions it can send GET requests to


If the session is valid the response will contain the number of seconds until the session will expire. See also "SessionRefreshResponse".

When the user logs out or when the client application has completed its tasks or exits it should log out. This is done by sending a GET request to


This destroys the session and returns an empty response.