Android Web Service Access

Monkton, Inc.

Rebar itself allows for Web Services to be accessed via API Endpoints within the Rebar Hub. We have added the ability to call Web Services directly from apps itself, in a secured manner you can use to validate users and their credentials.

When a user logs into an app built with Rebar, they are issued a set of Rebar Bearer Tokens (RBT) that are stored within the app. Each request made by the app secured by Rebar via HTTPS is then signed with the RBT and passed as headers for the the server to authenticate the user and context. (These can be embedded in your web service calls with the RebarUtil.instance.signedRebarHeaders convenience method).

Going directly to the web service will avoid the overhead of an extra hop from the Rebar Hub, increasing performance of the app secured with Rebar.

Web Service Token Guidance

We have provided this documentation here that discusses generating Web Service Bearer Tokens (WSBT) for consumption by apps

Checklist for Web Service Access

Token Generation Checklist

  • Identify how you would like to generate tokens

    Your web service will need to be able to generate an initial token for the user of the web service. Your Token Generation Service must be able to call the Rebar Token Validation Service

  • Generate Tokens for Users

    Once your Token Generation Service has invoked the Rebar Token Validation Service and obtained a valid user, the service shall generate tokens and assign a TTL to the token

  • Securely store tokens in the app

    If writing a bespoke method to sign, store and retrieve the tokens using Rebar's secure RebarSettingController.default.setSecureSetting and RebarSettingController.default.getSecureSetting methods. If you are going to use Rebar's built in methods to use the settings, invoke the RebarUtil.default.setWebServiceApiKeys methods described below.

  • Sign the Requests

    When invoking your web service, the Rebar RBT signed headers must be present in the request, as well as the apps signed token headers. Use the RebarSettingController.default.getSecureSetting to retrieve your tokens if you are performing signing yourself or the RebarUtil.default.signedHeadersForWebServiceApi method to automatically manage signing

  • Refresh Tokens

    As your tokens expire, the web service shall be able to refresh the tokens with the Rebar Token Validation Service at any time. The Rebar RBT are sent with each request to your web service, the headers can be forwarded to the Rebar Token Validation Service and validation can be performed. As above, you will need to securely store the refreshed tokens.

Calling your Web Service Token Generator service

To invoke your Web Service and receive your bearer tokens, you will need to embed the RBT signed headers with the RebarUtil.instance.signedRebarHeaders method. This will enable your backend web service to invoke the Rebar Token Validation Service to validate the user is still valid.

To make this request, perform the following (this assumes is your token generation endpoint).

HttpsURLConnection Example

For HttpsURLConnection we have included extension methods that make this process easier.

// The URL to invoke
val urlValue = URL("")

// Setup the connection
val urlConnection = urlValue.openConnection() as HttpsURLConnection

// Always call this before invocation to harden (will be automated in future)

OkHttp Example

OkHttp requires a minor bit of manual work, but made easier by the .apply {} closure:

// Grab the URL
val url = ""

// Create the OkHttpClient
val client = OkHttpClient()

// Build the request. We will add the Rebar headers and our Web Service Bearer Token headers
val request = Request.Builder()
    .apply {
        // Add the Rebar headers
        RebarUtil.instance.signedRebarHeaders.forEach {
            this.addHeader(it.key, it.value)

Storing Headers

You can store your WSBT in the RebarUtil.default.setWebServiceApiKeys by invoking:

// Grab the keys we will store (from a JSONObject)
val sharedKey = asJson.getString("authKeyRefId")
val secretKey = asJson.getString("secretKey")

RebarUtil.instance.setWebServiceApiKeys("sample-app", sharedKey, secretKey)

In this example, the result from the WSBT has a header value authKeyRefId and secretKey, we then store them using the RebarUtil.default.setWebServiceApiKeys method. From here, we can then use those WSBT tokens to sign headers.

Leveraging Headers and Making Requests

When you are ready to make your request to the server, you will want to invoke the RebarUtil.default.signedHeadersForWebServiceApi method. This generates the series of headers you can add to your HTTPS request to the server. You can find more about this on the iOS and Android pages: