Overview

A principal is an entity that can be authenticated by the Intelligent Risk Platform. Authentication is the process by which the platform verifies that an end user or application client is who it claims to be.

The Intelligent Risk Platform supports two principals: user accounts and client applications (API keys).

User accounts and client applications are only authorized to access protected resources and to perform operations if they are members of a group that has been assigned the appropriate access rights and role-based permissions.

User accounts

A user account is an entity that identifies an end user of the Intelligent Risk Platform.

The user account defines the credentials (user name and password) that enable an end user to log into an Intelligent Risk Platform application, e.g. ExposureIQ, Risk Modeler, TreatyIQ, or UnderwriteIQ.

Many API resources return information about the user that created, last updated, or owns that entity. In general, the user account is identified by an email address, which serves as the user name.

Client applications

A client application is an entity uses an Intelligent Risk Platform API to access and update tenant data. The client applications must pass a valid API key in the Authorization header of every request to an Intelligent Risk Platform API.

The API key is a string that identifies a client application.

📷

Token-based authentication

The Intelligent Risk Platform supports two methods of client authentication: API keys and web tokens.

Moody's recommends that tenants use API keys to identify their client applications in production environments. Token-based authentication should be used for testing and evaluation purposes only.

In token-based authentication, the application client accesses the API on behalf of a user account and utilizes the user account's credentials to identify itself. For more information, see Authentication and Authorization.