==============================
Access control and throttling
==============================

Access control
---------------

The API is available to any user that has access to the
regular management server interface. Each application that integrates
with Bonding Internet should be given its own user account, and the
account should be given the minimum permissions necessary for the
application to work (i.e. don't put the account in the `Administrator
group <../../users-groups-permissions/default-groups.html>`__ unless the application really
needs every single permission). Like the regular web application, the
API uses SSL encryption for security.

Two methods are provided for gaining access to the API:

#. Cookie-based session authentication. This is the method used by web
   browsers. To use this method, you must first log in to the regular
   web application.
#. HTTP basic authentication. HTTP clients and programming libraries
   differ in how this authentication method is configured; please see
   your client's documentation for details.

Applications should log in with their email address and password.

.. warning::

    An account's username can be used for authentication, but this was
    deprecated in Bonded Internet 2015.4. Username authentication will be
    removed in a future release. Existing applications should be updated to
    log in with an email address.

Throttling
-----------

The management server API performs no request throttling.
