Authentication ensures that API callers in your solutions are authorized to access Symphony resources.

When an API caller starts, it performs session authentication as well as key manager authentication (if required depending on the endpoint) to obtain session tokens. These two tokens, which the bot treats as opaque data, are presented in custom headers with each subsequent REST API request.

Perform this process using the RSA public/private key pair workflow.


Session Token Management

The token you receive is valid for the lifetime of a session that is defined by your pod's administration team. This ranges from 1 hour to 2 weeks.

You should keep using the same token until you receive a HTTP 401, at which you should re-authenticate and get a new token for a new session.

Datafeeds survive session expiration, you do not need to re-create your datafeed if your session expires.


Supported Ciphers for the SSL/TLS session

From April 2021, Symphony will only support the following cipher suites:

ECDHE-RSA-AES256-GCM-SHA384 (Preferred)




For more information, please contact your Technical Account Manager, Solutions Architect or the Technical Support Team.

Authentication Using an RSA Public/Private Key Pair

When a bot process (API caller) starts, it calls the RSA Session Authenticate endpoint for authenticating on the Symphony servers (pod). This endpoint examines the JWT provided to identify the bot user and return a session token.

The bot then calls the analogous RSA Key Manager Authenticate endpoint for authenticating on the key manager. This endpoint returns a Key Manager token.

For more information, see RSA Bot Authentication Workflow.

Updated 2 months ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.