8.2 Authentication and Security for COUNTER_SUSHI API

The COUNTER_SUSHI API MUST be implemented using TLS (HTTPS).

The API MUST be secured using one or more of the following methods:

  • Combination of customer ID and requestor ID

  • IP address of the SUSHI client

  • API key assigned to the organization harvesting the usage

Non-standard techniques for authentication (techniques not specified in the COUNTER_SUSHI API specification) MUST NOT be used.

If IP address authentication is implemented, it MUST allow the same SUSHI client (a single IP address) to harvest usage for multiple customer accounts (e.g. hosted ERM services).