Go To Dashboard

Work with SOTT


Our Registration API is public and uses an API key for requests. In the request header, LoginRadius supports an additional token - SOTT (Secure One Time Token) along with the API key to avoid automated spam registrations.

SOTT can be created using the API key, API secret, and a timestamp (start time and end time). Once generated, SOTT can be used for a short time. Thus, it helps to avoid spam and brute force attacks.

To access Mobile SOTT, login to your LoginRadius Dashboard account, from the left navigation panel, click Configuration and then navigate to the API Credentials section.

Click the down arrow or anywhere within the section and then click the Secure Mobile OTP Token section; the Mobile SOTT screen will appear:

SOTT

In our SDKs, SOTT is automatically handled when the SDK calls the authentication APIs, user registration methods.

Methods to generate SOTT

You can choose to generate SOTT using dashboard configuration or algorithms or our SDK. Refer to the sections below for more details.

Generate SOTT with Dashboard

To generate the SOTT with the Mobile SOTT section, follow the below steps:

  • Select Technology: Select the desired mobile technology from the dropdown, i.e., Android or iOS.
  • New SOTT: Enter the optional tag/comment for the SOTT.
  • Date range of token validity: Select the date range for which the SOTT will remain valid. You need to generate a new SOTT once the existing SOTT gets expired.
  • Click the GENERATE button to generate the SOTT.

Note: Make sure to copy and store the generated SOTT somewhere safe because you won’t be able to see this again.

Generate SOTT Manually

To manually generate a SOTT, use the following algorithm:

Constant values to generate SOTT-

  1. const INITVECTOR = "tu89geji340t89u2";
  2. const KEYSIZE = 256;
  3. const DateFormat = "YYYY/MM/DD H:i:s";

An initialization vector (IV) is a random number used in combination with a secret key as a means to encrypt data. This number is sometimes referred to as a nonce, or “number occurring once,” as an encryption program uses it only once per session.

Follow these steps based on your tech stack:

  1. Calculate DateInterval( Difference of start time and end time ) in the above DateFormat.
  2. Calculate plain text like StartDateInterval + "#" + + "#" + EndDateInterval.
  3. Generate a PBKDF2 key derivation of a supplied encoded Secret key.
  4. Encrypt the text with the below parameters
    • PBKDF2 key
    • Plain text
    • Encoded INITVECTOR
  5. Encode the result data with base64.
  6. Initialize an incremental hashing context with MD5 and pass the result data into the active hashing context.

Implement using Node.js

The Node.js code below will calculate and generate a SOTT dynamically.

'use strict';
// Secret - Your APP secret 
// key -- Your API key
module.exports = function (secret, key, startDate, endDate) {
  var crypto = require('crypto');

  return new Promise(
    function (resolve, reject) {
      var tempToken = '';
      if (!startDate) {
        var date = new Date();
        var nextMonth = date.getUTCMonth() + 1;
        tempToken = date.getUTCFullYear() + '/' + nextMonth + '/' + date.getUTCDate() + ' ' + date.getUTCHours() + ':' + (date.getUTCMinutes() < 10 ? '0' + date.getUTCMinutes() : date.getUTCMinutes()) + ':' + (date.getUTCSeconds() < 10 ? '0' + date.getUTCSeconds() : date.getUTCSeconds()) + '#' + key + '#';
        date.setUTCMinutes(date.getUTCMinutes() + 10);

        tempToken += date.getUTCFullYear() + '/' + nextMonth + '/' + date.getUTCDate() + ' ' + date.getUTCHours() + ':' + (date.getUTCMinutes() < 10 ? '0' + date.getUTCMinutes() : date.getUTCMinutes()) + ':' + (date.getUTCSeconds() < 10 ? '0' + date.getUTCSeconds() : date.getUTCSeconds());
      } else {
        tempToken = startDate + '#' + key + '#' + endDate;
      }
      encrypt(tempToken, resolve, reject);
    }
  );

  function encrypt (plainText, resolve, reject) {
    var initVector = 'tu89geji340t89u2';
    var keySize = 256;
    var iterations = 10000;
    var keyLenNumber = 8;
    var initVectorBuffer = Buffer.from(initVector, 'utf8');
    var plainTextBuffer = Buffer.from(plainText, 'utf8');
    crypto.pbkdf2(secret, Buffer.from(new Array(keyLenNumber)), iterations, keySize / keyLenNumber, 'sha1', function (err, keyBytes) {
      if (err) reject(err);
      var cipher = crypto.createCipheriv('aes-256-cbc', keyBytes, initVectorBuffer);
      var cryptedText = cipher.update(plainTextBuffer, 'utf8', 'base64');
      cryptedText += cipher.final('base64');

      var hash = crypto.createHash('md5');
      hash.update(cryptedText, 'ascii');
      resolve(cryptedText + '*' + (hash.digest()).toString('hex'));
    });
  }
};

Generate SOTT using SDKs

You can also use our SDKs to generate the SOTT dynamically in your application.

  1. Using PHP SDK
$sottObject =  new SOTT();
$encrypt =  $sottObject ->encrypt();
  1. Using Java SDK
Sott sott =new Sott();
String sottresponse =sott.main( < YOUR API KEY >, < YOUR API SECRET > );
  1. Using Node JS SDK

-Create var config in project

var config = {
    apikey: '{{ Your API KEY }}',
    apisecret: '{{ Your API Secret }}',
    sitename: '{{ Your Sitename }}'
}
  • Require the loginradius-v2-sdk package and pass it the config object
var lrv2 = require('loginradius-sdk')(config);
  • Call the getSott function
var startDate = "2017-05-15 07:10:42" // Valid Start Date with Date and time
var endDate = "2017-05-15 07:20:42" // Valid End Date with Date and time

lrv2.authentication.getSott( startDate, endDate ).then( function( response ) {
    console.log( response );
}).catch( function( error ) {
    console.log( error );
});
Edit on GitHub