Seclore Online | Developer Guide

1. Introduction

This guide covers the technical implementation for integrating an Enterprise Application with Seclore Online — including key concepts, communication flows, security (proof keys), API specifications, and design considerations. It is intended for technical architects and development teams.

Readers are expected to have hands-on knowledge of RESTful web services and JSON, and an understanding of how files move in and out of the enterprise application being integrated.

2. Implementation Details

2.1 Key Concepts

File Token

A File Token is a unique string that represents a specific file in the enterprise application. Seclore Online includes the file token in all requests back to the enterprise application, allowing the host to locate the file.

A File Token must represent a single file and be URL-safe (tokens are passed in URLs).

Access Token

A string used by the enterprise application to determine the identity and permissions of the issuer of a request. The enterprise application provides an access token; Seclore Online passes it back on subsequent requests for validation.

Access tokens must:

Be scoped to a single user and resource combination.
Remain valid for all operations the user has permissions to perform (a view token stays valid when switching to edit mode).
Expire automatically — use access_token_ttl to specify expiry.
Only be revoked if a user's permissions change, not as a standard operation.

Access Token TTL

The access_token_ttl property specifies when an access token expires, expressed as milliseconds since January 1, 1970 UTC — an absolute timestamp, not a duration. It is always paired with a specific access token.

File Hash

During file opening, Seclore Online stores the file contents and its hash. If a subsequent open request arrives with the same hash, Seclore Online reuses the cached contents instead of calling getFile again.

Session Context

A property the enterprise application generates to store session-related data. Once sent to Seclore Online, this data is echoed back in all subsequent requests.

Cloud File Access on Desktop (CFAD)

Seclore Online can open files natively using the Seclore Desktop Client on the user's machine. After editing, the file is saved back to the enterprise application. Technical details are in Section 5.3.

Discovery

The process by which an enterprise application obtains proof keys, supported versions, and features from Seclore Online. Cache the discovery response and refresh it every 12–24 hours, or re-run it when proof key validation fails (indicating keys may have been rotated).

2.2 Communication Flows

Solid arrows = requests · Dashed arrows = responses

Flow A — File Open in View Mode, Switched to Edit

Flow B — File Open with Save-back

Flow C — File Open via CFAD (Cloud File Access on Desktop)

2.3 Integrity & Proof Keys

Discovering Proof Keys

The Discovery endpoint returns proof keys used to sign and verify all requests between Seclore Online and the enterprise application. Cache the response and refresh every 12–24 hours, or re-run discovery when proof key validation fails.

Proof Validation and Rollover

Seclore Online signs every request with a private key. The corresponding public key is in the proof-key field of the discovery response, sent via X-Seclore-Proof and X-Seclore-ProofOld HTTP headers.

To verify a request, check these three combinations in order — if any one passes, the request is authentic:

X-Seclore-Proof decrypted with the current public key
X-Seclore-ProofOld decrypted with the current public key
X-Seclore-Proof decrypted with the old public key

If none of the three passes, return 500 Internal Server Error.

Building the expected proof (Java):

private static byte[] getExpectedProofBytes(String pUrl, String pAccessToken, String pTimestamp) {
    final byte[] accessTokenBytes = pAccessToken.getBytes(StandardCharsets.UTF_8);
    final byte[] hostUrlBytes = pUrl.toUpperCase().getBytes(StandardCharsets.UTF_8);
    final Long timestamp = Long.valueOf(pTimestamp);
    final ByteBuffer byteBuffer = ByteBuffer.allocate(
        4 + accessTokenBytes.length + 4 + hostUrlBytes.length + 4 + 8);
    byteBuffer.putInt(accessTokenBytes.length);
    byteBuffer.put(accessTokenBytes);
    byteBuffer.putInt(hostUrlBytes.length);
    byteBuffer.put(hostUrlBytes);
    byteBuffer.putInt(8);
    byteBuffer.putLong(timestamp);
    return byteBuffer.array();
}

Verifying the proof (Java):

public static boolean verifyProofKey(String strModulus, String strExponent,
        String strProofKey, byte[] expectedProofArray) throws Exception {
    PublicKey publicKey = getPublicKey(strModulus, strExponent);
    Signature verifier = Signature.getInstance("SHA256withRSA");
    verifier.initVerify(publicKey);
    verifier.update(expectedProofArray);
    final byte[] signedProof = DatatypeConverter.parseBase64Binary(strProofKey);
    return verifier.verify(signedProof);
}

Renew Access Token

When an access token expires, the enterprise application must return 401. Seclore Online then calls the Renew Access Token endpoint with the expired token. The enterprise application validates it and returns a new token, which Seclore Online uses to retry the failed request.

3. Configurations

Whitelist Enterprise Application URL in Seclore Online

To open protected files using Seclore Online, the enterprise application URL must be whitelisted. Without this, Seclore Online will reject all requests from the application. One Seclore Online instance supports multiple whitelisted applications.

Configure the URL following the Seclore Online Installation Manual, then restart Seclore Online for changes to take effect.

4. Design Considerations

Failed Access Token Renewal

If an access token has expired, return 401. Seclore Online calls Renew Access Token with the expired token, and the enterprise application should respond with a new token. Seclore Online retries the original request using the renewed token.

Error URL Framework

Seclore Online returns an error-url in the response header for any exception. The integrating application can redirect to this URL to display contextual Seclore Online error pages (e.g. "file too large to open online", "unsupported extension"), or render a custom error page instead. See Section 5.2 for technical details.

Version Conflict Resolution

When multiple users attempt to edit and save the same file simultaneously, the enterprise application must handle version conflicts. Possible strategies:

Once a file is open in edit mode, open it in view mode for all other users.
Allow simultaneous edits, then create a new file on close and let users resolve conflicts manually.

5. APIs & Technical Details

Headers repeated across most APIs are documented in the Header Appendix.

5.1 Seclore Online Endpoints

Prefix the Seclore Online base URL to the paths below.

GET /seclore/discovery — Discovery

Returns proof keys enabling secure communication between Seclore Online and the enterprise application.

Request Headers

Header	Required	Description
`X-Request-Id`	Optional	Unique request identifier for logging.

Success Response — 200

{
  "proof-keys": {
    "old": { "proof-key": { "modulus": "<BASE64>", "exponent": "<BASE64>", "algo": "SHA256withRSA" } },
    "new": { "proof-key": { "modulus": "<BASE64>", "exponent": "<BASE64>", "algo": "SHA256withRSA" } }
  },
  "versions": [1.0],
  "supported-features": [1.0]
}

Field	Description
`proof-keys.old`	Key that was previously "new" and has since been rotated.
`proof-keys.new`	Current active proof key after the latest rollover.
`modulus / exponent`	Base64-encoded RSA key components.
`algo`	Signing algorithm — currently `SHA256withRSA`.
`versions`	Supported API versions. Currently `[1.0]`.
`supported-features`	`1.0` = CFAD (native file open) is supported.

Error Response — 500

Headers: X-Seclore-ErrorCode, X-Seclore-ErrorMsg, X-Seclore-ErrorURL (optional), X-Request-Id.

GET /seclore/1.0/files/preflight — Pre-flight Check

Checks whether a file can be opened by Seclore Online (online or natively), based on extension and file size.

Request Headers

Header	Required
`X-Seclore-PolicyServerURL`	Mandatory
`X-Request-Id`	Optional

Query Parameters

Parameter	Description
`name`	Full file name including extension. Use `.html` for HTML-wrapped files (e.g. `sample.docx.html`).
`size`	File size in bytes.
`agentless`	`0` = native open check; `1` = online open check.

Success Response — 200

{ "allowed-action": [ "view" | "edit" ] }

Error Response — 500

Headers: X-Seclore-ErrorCode, X-Seclore-ErrorMsg, X-Seclore-ErrorURL (optional), X-Request-Id.

POST /seclore/1.0/files/open — Open

Browser redirect after a successful pre-flight. Initiates file opening in the browser or via native desktop client.

Form Parameters

Parameter	Description
`accessToken`	Access token issued by the enterprise application for this specific file.
`accessTokenExpiry`	Expiry time in milliseconds since January 1, 1970 UTC.
`fileToken`	Unique string representing the file being opened.
`serviceUrl`	Enterprise application base URL. Seclore Online constructs endpoint URLs relative to this.
`agentless`	`0` = native (CFAD); `1` = online.
`policyServerURL`	Policy Server URL that protected the file.
`sessionContext`	Session-specific data. Mandatory — pass any random string if none needed.
`requestId`	Request ID for logging.

Success: File opens in browser or Desktop Client. Error: Error page shown by Seclore Online.

5.2 Seclore Online Error Framework

POST {X-Seclore-ErrorURL} — Error Page

The full URL is returned in the X-Seclore-ErrorURL response header. Redirecting to this URL displays a contextual Seclore Online error page, which may include secondary actions (e.g. download the file locally when it is too large to open online).

Form Parameters

Parameter	Required	Description
`accessToken`	Mandatory	Access token for the file.
`fileToken`	Mandatory	Unique file identifier.
`serviceURL`	Mandatory	Enterprise application base URL.
`requestId`	Mandatory	Request ID for logging.
`sessionContext`	Optional	Session-specific data.

5.3 Enterprise Application Endpoints

Implement these endpoints in your enterprise application. Prefix the service URL to the paths below.

GET /seclore/1.0/files/{fileToken} — Check File

Returns file metadata required by Seclore Online to open the file.

Request Headers

Header	Required
`Content-Type: application/json; charset=utf-8`	Mandatory
`Authorization`	Mandatory
`X-Seclore-TimeStamp`	Mandatory
`X-Seclore-Proof`	Mandatory
`X-Seclore-ProofOld`	Mandatory
`X-Seclore-SessionContext`	Optional
`X-Request-Id, X-RequestingAppName, X-RequestingAppVersion`	Optional

Success Response — 200

{
  "file-name": "string",
  "file-hash": "string",
  "file-hash-algo": "string",
  "file-size": "string",
  "options": {
    "allow-edit": boolean,
    "allow-download": boolean,
    "allow-unprotected-download": 0 | 1,
    "email-copy": boolean,
    "allow-saveback": boolean
  },
  "allowed-action": [ "view" | "edit" ]
}

Field	Description
`file-name`	Full file name with extension.
`file-hash`	File hash. If it matches Seclore Online's stored hash, `getFile` is skipped.
`file-hash-algo`	Algorithm used to compute the hash.
`file-size`	File size in bytes.
`options.allow-edit`	Show edit button in view mode. Ignored if `allowed-action` is already `edit`.
`options.allow-download`	Allow downloading a protected copy.
`options.allow-unprotected-download`	`0` = deny, `1` = allow unprotected download.
`options.email-copy`	Email an edited copy to the user on close.
`options.allow-saveback`	Allow saving the edited file back to the enterprise application.
`allowed-action`	`view` or `edit` — the mode in which the file opens.

Seclore Online intersects these settings with Seclore permissions. For example, if allowed-action is edit but the user lacks Seclore edit permission, the file opens in view mode.

Error Response — 400, 401, 500

Headers: X-Seclore-ErrorCode, X-Seclore-ErrorMsg, X-Seclore-ErrorURL (optional).

GET /seclore/1.0/files/{fileToken}/contents — Get File

Returns the actual file contents to Seclore Online.

Request Headers

Header	Required
`Authorization`	Mandatory
`Content-Disposition`	Mandatory
`X-Seclore-TimeStamp, X-Seclore-Proof, X-Seclore-ProofOld, X-Seclore-FileHash`	Mandatory
`X-Seclore-SessionContext, X-Request-Id, X-RequestingAppName, X-RequestingAppVersion`	Optional

Success Response — 200

Headers: Content-Type: application/octet-stream, Content-Disposition (mandatory), X-Seclore-FileName (mandatory), X-Seclore-SessionContext (optional).
Body: binary file contents.

Error Response — 400, 401, 500

Headers: X-Seclore-ErrorCode, X-Seclore-ErrorMsg, X-Seclore-ErrorURL (optional).

GET /seclore/1.0/files/{fileToken}/download — Download File

Returns the file contents when the user downloads a protected copy from the Seclore Online error page.

Request headers and success/error response are identical to Get File above.

POST /seclore/1.0/files/{fileToken}/contents — Put File

Used by Seclore Online to save back the edited file to the enterprise application.

Request Headers

Header	Required
`Authorization, X-Seclore-TimeStamp, X-Seclore-Proof, X-Seclore-ProofOld, Content-Length`	Mandatory
`SAVE_EVENT_MODE`	Mandatory — `Manual` or `Automatic`
`X-Seclore-SessionContext`	Optional

Request body: binary file contents.

Success Response — 200

Headers: Content-Type: application/octet-stream, X-Seclore-SessionContext (optional).

Error Response — 400, 401, 500

Headers: X-Seclore-ErrorCode, X-Seclore-ErrorMsg, X-Seclore-ErrorURL (optional).

POST /seclore/1.0/files/{fileToken}/initedit — Init Edit

Called by Seclore Online when the user wants to switch from view to edit mode. Checks whether the file can be opened for editing.

Request headers: Authorization, X-Seclore-TimeStamp, X-Seclore-Proof, X-Seclore-ProofOld (all mandatory), plus optional headers.

Success (200): X-Seclore-SessionContext (optional). Error (400, 401, 500): X-Seclore-ErrorCode, X-Seclore-ErrorMsg.

POST /seclore/1.0/files/{fileToken}/edit — Edit

Called by Seclore Online after a successful initEdit. This endpoint must then call Seclore Online's open endpoint to open the file in edit mode.

Form Parameters

Parameter	Required	Description
`accessToken`	Mandatory	Access token for the file.
`fileToken`	Mandatory	Unique file identifier.
`sessionContext`	Optional	Session-specific data.
`requestID`	Optional	Request ID for logging.

POST /seclore/1.0/renewToken — Renew Access Token

Called by Seclore Online when it receives a 401. Returns a renewed access token.

Request headers: Authorization (expired token), X-Seclore-TimeStamp, X-Seclore-Proof, X-Seclore-ProofOld (all mandatory).

Success Response — 200

{ "access-token": "string", "access-token-ttl": 1680000000000 }

access-token-ttl is milliseconds since January 1, 1970 UTC (absolute timestamp, not duration).

Error Response — 400, 401, 500

Headers: X-Seclore-ErrorCode, X-Seclore-ErrorMsg.

POST /seclore/1.0/files/{fileToken}/events/open — Open Event

Sent by Seclore Online when the user opens the file.

Request headers: Content-Type: application/json, Authorization, X-Seclore-TimeStamp, X-Seclore-Proof, X-Seclore-ProofOld (all mandatory).

{ "actual-allowed-action": "view" | "edit" }

Success (200) | Error (400, 401, 500, 501): X-Seclore-ErrorCode, X-Seclore-ErrorMsg.

POST /seclore/1.0/files/{fileToken}/events/close — Close Event

Sent by Seclore Online when the user closes the file.

Request headers: same as Open Event.

{ "mode": "manual" | "automatic" }

manual — user explicitly closed. automatic — auto-closed by the system.

Success (200) | Error (400, 401, 500, 501): X-Seclore-ErrorCode, X-Seclore-ErrorMsg.

5.4 Status Code Appendix

Code	Name	Description
200	OK	Request was successful.
401	Unauthorized	Access token has expired or is invalid.
404	Not Found	Requested resource not found.
500	Internal Server Error	Internal server error.
501	Not Implemented	The requested method is not implemented.

5.5 Header Appendix

Header	Type	Description
`X-Request-Id`	String	Unique request identifier for logging.
`Authorization`	String	Access token. Value must be prefixed with `Bearer <token>`.
`X-RequestingAppName`	String	Name of the requesting application.
`X-RequestingAppVersion`	String	Version of the requesting application.
`X-Seclore-TimeStamp`	Number	100-nanosecond intervals elapsed since 12:00:00 midnight, January 1, 0001 UTC.
`X-Seclore-Proof`	String	Data signed using the new proof key from discovery.
`X-Seclore-ProofOld`	String	Data signed using the old proof key from discovery.
`X-Seclore-PolicyServerURL`	String	Comma-separated Policy Server URL(s) that protected the file.
`X-Seclore-SessionContext`	String	Session context. Enterprise application sends in requests; Seclore Online echoes updated value in subsequent requests.
`user-agent`	String	Optional. User agent opening the file.
`X-Seclore-FileHash`	String	Hash of the file sent in the request body.
`X-Seclore-FileName`	String	File name.
`Content-Disposition`	String	Standard HTTP header with file name as attachment.
`Content-Length`	Number	File size in bytes.
`Content-Type`	String	Standard HTTP content type header.
`SAVE_EVENT_MODE`	String	`Manual` — user saved. `Automatic` — auto-saved.
`X-Seclore-ErrorCode`	Number	Error code in case of an error.
`X-Seclore-ErrorMsg`	String	Error message in case of an error.
`X-Seclore-ErrorURL`	String	Redirect the user to this URL to show a Seclore Online error screen.

6. FAQs

General integration FAQs are on the FAQs page.

How do I configure a new Policy Server URL?

One Seclore Online instance supports multiple Policy Servers. To add one:

Configure the PS URL in your enterprise application to send it as a header and parameter in requests wherever expected.
Whitelist the PS URL in Seclore Online following the Seclore Online Installation Manual.
Restart Seclore Online for changes to take effect.

7. Glossary

Term	Definition
Policy Server	The command-and-control center of the Seclore system. Manages usage policies, user permissions, protected files, and activity logs.
Seclore Online	Seclore component for accessing protected files in a browser without installing any local agent.
Enterprise Application	Applications (DMS, CMS, EFSS, SAP, etc.) integrated with Seclore to apply data-centric security to downloaded files and extracts.
User	Person who interacts with the enterprise application and needs to view or edit data moving outside of it.
Protected Content	Data or files encrypted with Seclore.
Agent	Software installed on a user's machine to access Seclore-protected files outside of Seclore Online.

Seclore Online Integration – Developer Guide

1. Introduction

2. Implementation Details

2.1 Key Concepts

File Token

Access Token

Access Token TTL

File Hash

Session Context

Cloud File Access on Desktop (CFAD)

Discovery

2.2 Communication Flows

Flow A — File Open in View Mode, Switched to Edit

Flow B — File Open with Save-back

Flow C — File Open via CFAD (Cloud File Access on Desktop)

2.3 Integrity & Proof Keys

Discovering Proof Keys

Proof Validation and Rollover

Renew Access Token

3. Configurations

Whitelist Enterprise Application URL in Seclore Online

4. Design Considerations

Failed Access Token Renewal

Error URL Framework

Version Conflict Resolution

5. APIs & Technical Details

5.1 Seclore Online Endpoints

Request Headers

Success Response — 200

Error Response — 500

Request Headers

Query Parameters

Success Response — 200

Error Response — 500

Form Parameters

5.2 Seclore Online Error Framework

Form Parameters

5.3 Enterprise Application Endpoints

Request Headers

Success Response — 200

Error Response — 400, 401, 500

Request Headers

Success Response — 200

Error Response — 400, 401, 500

Request Headers

Success Response — 200

Error Response — 400, 401, 500

Form Parameters

Success Response — 200

Error Response — 400, 401, 500

5.4 Status Code Appendix

5.5 Header Appendix

6. FAQs

How do I configure a new Policy Server URL?

7. Glossary