In order for your app to communicate with the Airship API it must use a key and secret combination that authenticates it to your Airship app setup. These keys are generated automatically when you create an app in our dashboard, and you manually copy them into your iOS, Android/Amazon or Windows app configuration. Since app bundles are fundamentally considered insecure (they can be decompiled), this key and secret combination limits the APIs that your device can communicate with. This allows the device to modify tags, and aliases for a specific Channel, device token, APID or Pin, and nothing more.
Push addresses/tokens are sufficiently random that they can be considered obscure, and the associated data is low risk. We employ additional security on our servers to monitor for abuse. Tags and aliases should be considered obscure, however they are trusted APIs for devices to access so you should not place sensitive information in a tag or alias.
We generate one additional piece of data called the Master Secret, which is used to do all communication with our wider APIs. The Master Secret should never be placed in an app bundle, nor released to the public. This is the secret you use to authenticate requests to our server for generating pushes, rich app pages, and more.
Airship-generated string identifying the app setup. Used in the application bundle. Only available in the Airship dashboard.
Airship-generated string identifying the app setup secret. Used in the application bundle. Only available in the Airship dashboard.
Airship-generated string used for server-to-server API access. This secret must never be shared or placed in an application bundle. Only available in the Airship dashboard.
Airship-generated string used for server-to-server API access to create and manage applications for partner integrations. This should never be shared or placed in an application bundle. Only available through manual channels.
Airship-generated string passed back to devices and stored in the device keychain for authenticating user-related device API actions when paired with the Password. This is not the same as your Airship dashboard login.
Airship generated string passed back to devices and stored in the device keychain for authenticating User related device API actions when paired with the User ID. This is not the same as your Airship dashboard password.
Push Address or Token
A unique proprietary string generated by device vendors (Apple, Google, Windows, Amazon) for identifying an addressable push device. This is passed back to the device via vendor specific APIs and then stored by Airship for addressing push messages and authenticating push related APIs.
Web Portal Login
The User ID and Password used by an Airship customer to log in to the Airship portal to
configure apps, manually send pushes through Push Composer, view Reports, etc. This is listed for clarity
here as it is different from the User ID and Password listed above. The Web Portal is located
go.airship.eu depending on the domain used when setting up your account.
API Authentication Map
|Tags||App Key/Secret & Token||Single: App Key/Secret & Token Enumerate: App Key/Secret||App Key/Secret & Token||Single from Device: App Key/Secret & Token All tags, all devices: Master Secret|
|Alias||App Key/Secret & Token||Single: App Key/Secret & Token Enumerate: N/A||App Key/Secret & Token||App Key/Secret & Token|
|Device Token/APID/PIN Registration||App Key/Secret & Token||Single: App Key/Secret & Token Enumerate: Master Secret||App Key/Secret & Token||App Key/Secret & Token (marks inactive)|
|Push Message||Master Secret* (unless push from device feature||Scheduled Push: Master Secret||Scheduled Push: Master Secret||Scheduled Push: Master Secret|
|Rich Push Message||App Key/Master Secret||User ID/Password||N/A||User ID/Password|
|User||App Key/Master Secret||Single: User ID/Password or Master Secret Enumerate: Master Secret||User ID/Password or Master Secret||User ID/Master Secret* (marks inactive)|
|Partner API||Partner Key/Secret* (only available to partners)||Partner Key/Secret||Partner Key/Secret||Partner Key/Secret|
Tag & Alias Security
Tags and aliases are considered obscure, but not secure in our system. We recommend that you not use them to store sensitive information. The obscurity varies by platform, as push addresses/tokens are a different format for each vendor (Apple, Google, Microsoft, Amazon). Typically these are UUIDs or similar, but this is not guaranteed and should be considered proprietary in nature. In order to gain access to a specific device's tags or aliases from an unauthorized source you would need to guess the push identifier, which is mathematically improbable, or obtain it by other means.
Given that certain tag operations can be completed without the master secret it is possible for a user, with the app key, secret and push address, to list tags for an app and subscribe or unsubscribe themselves to those tags. Please be aware of this as you plan your own usage of the tag API.