We make calls to our REST api over an HTTPS channel. Each request includes an authorization header containing a SAML token. The SAML token was established on initial authentication, based on the username and password in the case of non-SSO integrations. The SAML token represents the identity of the user and contains a set of all the claims for the user. The SAML token cannot be tampered with or it will fail validation and will be rejected. All AVAIL data is accessed based on the values in the token.

Did this answer your question?