Authentication and Authorization Introduction to Aspera Authentication and Authorization HST Server can be configured to support SSH or HTTPS authentication and authorization for browsing and transfers. For both methods, the client ascp process connects to the server by using the SSH protocol and initiates the server-side ascp process. Therefore, SSH connectivity and authentication to the server is always used. Require Token Authorization: Set in the GUI When transfer users or groups are configured to require token authorization, only transfers initiated with a valid token (transfer token, basic token, or bearer token) are allowed to transfer to or from the server. Token authorization can be set independently for incoming transfers and outgoing transfers. Require Token Authorization: Set from the Command Line When transfer users or groups are configured to require token authorization, only transfers initiated with a valid token (transfer token, basic token, or bearer token) are allowed to transfer to or from the server. Token authorization can be set independently for incoming transfers and outgoing transfers. Transfer Token Creation (Node API) Aspera recommends using the Node API tool to generate transfer tokens, though they can be generated using the astokengen tool. Using the Node API tool enables greater flexibility and functionality because astokengen creates tokens constrained by the settings in aspera.conf. Transfer Token Generation (astokengen) The astokengen command line tool enables users to generate and decode transfer tokens. Unless you are creating a transfer token for an Ascp 4 session, which requires that you use astokengen with the --full-paths option, Aspera recommends using the Node API tool to work with transfer tokens as it provides more functionality. For instructions see Transfer Token Creation (Node API). The Node API response includes FASP transfer parameters and the token string, whereas astokengen generates only a specific type of token. astokengen is most useful for decoding tokens during application development for debugging purposes. Access Key Authentication Access key authentication provides an alternative to entering the security credentials of a Node API user or system user. Because an access key is restricted to its own storage (local or cloud), it allows access control and usage reporting to be segregated by storage. This offers significant benefits to multi-tenant service providers and enterprise installations with multiple departments. Basic Tokens An Aspera basic token is created from an access key ID and secret, which authorizes a transfer user access to a specific area of a storage and authenticates that user to the storage. Basic tokens are less restrictive than transfer tokens. They can be used to transfer with any Aspera server that supports access keys (all but IBM Aspera on Cloud). Bearer Tokens A bearer token is created from an access key ID, access key secret, and an SSL private-public key pair. Bearer token authentication is required for transfers to and from IBM Aspera on Cloud, but can be used for transfers with all other Aspera servers, too.