--- title: About the Apple News Security Model framework: applenews role: article role_heading: Article path: applenews/about-the-apple-news-security-model --- # About the Apple News Security Model Learn how the Apple News API authenticates clients, authorizes your news channel, and enforces confidentiality. ## Overview Overview Security is the highest priority of the Apple News API, and it conforms to these principles: Authentication: Validates the identity of the client. Authorization: Provides fine-grained control over clients, allowing only specific actions that the client has permission to perform. Confidentiality: Protects information by encrypting data that’s exchanged between client and server. note: In this documentation, a client is a remote system identified by an API key. News Publisher provides you with the API key when you set up your channel. See Use your CMS with News Publisher. Authentication The Apple News API authenticates clients using message authentication codes (MAC) — specifically, hash-based message authentication codes (HMAC). MAC/HMAC is a common authentication mechanism for REST APIs and provides a way for a server to prove to its client that it possesses a particular shared secret. The server uses the following MAC/HMAC authentication process: The client uses the cryptographic hash function SHA-256 to combine the secret and the content of the message to generate a cryptographic hash. The server uses the same secret and message content to generate the server-side cryptographic hash. The server verifies the hash the client provides to check if it matches the serverʼs hash. If the hash the client provides doesn’t match the server’s hash, the client might not have the correct secret, the client might have generated the hash incorrectly, or someone may have tampered with the message. For more information, see Authenticating the Apple News API. Authorization The Apple News API enforces authorization by tying each API key to a single channel. A client thatʼs using a particular API key can create, read, update, or delete only those resources that are owned by the channel. The Apple News API doesn’t support roles. Every key for a particular channel has access to all API endpoints for that channel. Confidentiality Transport layer security (TLS) enforces confidentiality in the Apple News API. The Apple News API listens for requests served over TLS/HTTPS only. This ensures that all requests and responses are fully encrypted. Authenticating the Apple News API To meet the authentication requirements of the Apple News API, follow these steps for each request. Create a Request If the request is a GET, create a canonical request by using a byte-wise concatenation of the following: The HTTP method (for example, GET or POST in all caps) The full URL of the request The current date in ISO 8601 format note: Comscore analytics require a canonical URL for data collection and reporting. If the request is a POST request with an entity, then include the following in the canonical request: The value of the Content-Type header The full content of the entity Complete the Request Decode the secret that you received as a Base64-encoded string when you created your channel in News Publisher. Use HMAC SHA-256 to generate a hash out of the canonical request you created in Create a Request. Encode the hash with Base64. Set the Authorization header as follows, then send the request: HHMAC; key=; signature=; date= where is the date string you created in Create a Request. For more information about authenticating the Apple News API, see Apple News API Tutorial. ## See Also ### Essentials - [Getting Ready to Publish and Manage Your Articles](applenews/getting-ready-to-publish-and-manage-your-articles.md) - [About Apple News API Field Types](applenews/about-apple-news-api-field-types.md) - [Formatting Strings](applenews/formatting-strings.md)