Skip to main content
Read endpoints (GET) require no authentication. All write endpoints (PUT, DELETE) and the business card push endpoint (POST) require authentication. Two authentication methods are supported. Available since phoss SMP v6.0.7. Tokens are created in the management UI under Administration > Security > User Tokens. Pass the token in the Authorization request header: 
Authorization: Bearer <token>

Creating a token

1

Log in to the management UI

Navigate to your SMP’s management UI at /secure/.
2

Open User Tokens

Go to Administration > Security > User Tokens.
3

Create a new token

Click Create new token. Copy the token value — it is only shown once.

curl example

curl -X PUT \
  https://smp.example.org/iso6523-actorid-upis%3A%3A0088%3A5060210000007 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/xml" \
  --data-binary @service-group.xml

HTTP Basic Auth (legacy)

Uses the SMP user’s email address and password encoded as Base64. 
Authorization: Basic Base64(email:password)

curl example

Use the -u flag with email:password: 
curl -X PUT \
  https://smp.example.org/iso6523-actorid-upis%3A%3A0088%3A5060210000007 \
  -u [email protected]:password \
  -H "Content-Type: application/xml" \
  --data-binary @service-group.xml
curl automatically Base64-encodes the credentials when you use the -u flag.

Which endpoints require authentication

MethodPathAuth required
GET/{ServiceGroupId}No
PUT/{ServiceGroupId}Yes
DELETE/{ServiceGroupId}Yes
GET/{ServiceGroupId}/services/{DocumentTypeId}No
PUT/{ServiceGroupId}/services/{DocumentTypeId}Yes
DELETE/{ServiceGroupId}/services/{DocumentTypeId}Yes
GET/businesscard/{ServiceGroupId}No
PUT/businesscard/{ServiceGroupId}Yes
DELETE/businesscard/{ServiceGroupId}Yes
POST/businesscard/{ServiceGroupId}/pushYes
GET/smp-status/No
GET/ping/No

Ownership

Even with valid credentials, a user can only modify service groups they own. Attempting to write to a service group owned by a different user returns 403 Forbidden.

Error responses

Missing or invalid credentials 
HTTP/1.1 401 Unauthorized
The response body contains a plain-text description of the authentication failure. Valid credentials, wrong owner 
HTTP/1.1 403 Forbidden
The authenticated user does not own the service group.

Security recommendations

  • Prefer Bearer tokens over Basic Auth. Tokens can be revoked without changing your account password.
  • Use HTTPS in production. Credentials sent over plain HTTP are visible in transit.
  • Set webapp.security.login.errordetails = false in production to prevent the server from revealing whether an email address exists.

Build docs developers (and LLMs) love

Get started for freeTalk to us