CreateTicketforUser

# CreateTicketforUser API

Creates an authentication ticket for any specified infoRouter user without requiring that user's password. Instead, a server-side trusted user password (configured in the application settings) is presented by the calling application. This enables secure server-to-server impersonation and integration scenarios.

A typical use case is a trusted back-end service that needs to act on behalf of different users without storing or knowing individual passwords.

Endpoint¶

/srv.asmx/CreateTicketforUser

Methods¶

• GET /srv.asmx/CreateTicketforUser?TrustedUserPwd=...&UserName=...
• POST /srv.asmx/CreateTicketforUser (form data)
• SOAP Action: http://tempuri.org/CreateTicketforUser

Parameters¶

Note: This method does not require an authenticationTicket. Access is controlled solely by the TrustedUserPwd server secret.

Response¶

Success Response¶

<root success="true" ticket="3f2a1b4c-5d6e-7f8a-9b0c-1d2e3f4a5b6c" />

Response Attributes¶

Note: Unlike AuthenticateUser, this response returns only ticket — it does not include userid, username, firstName, lastName, email, expireOn, or isAuthenticated.

Error Response¶

<root success="false" error="[ErrorCode] Error message" />

Required Permissions¶

• No infoRouter authentication ticket is required.
• The caller must know the trusted user password configured on the server.
• The system administrator account (configured as SysadminAccountName in appsettings.json) cannot be impersonated — attempting to do so always returns [902].

Example¶

Request (GET)¶

GET /srv.asmx/CreateTicketforUser?TrustedUserPwd=MyServerSecret&UserName=jsmith HTTP/1.1
Host: server.example.com

Request (POST)¶

POST /srv.asmx/CreateTicketforUser HTTP/1.1
Content-Type: application/x-www-form-urlencoded

TrustedUserPwd=MyServerSecret&UserName=jsmith

Request (SOAP 1.1)¶

POST /srv.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/CreateTicketforUser"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <CreateTicketforUser xmlns="http://tempuri.org/">
      <TrustedUserPwd>MyServerSecret</TrustedUserPwd>
      <UserName>jsmith</UserName>
    </CreateTicketforUser>
  </soap:Body>
</soap:Envelope>

Notes¶

• Trusted password is a server secret: The TrustedUserPwd value is set in appsettings.json on the infoRouter server. It is not a user password and is not stored in the user database. Treat it like an API key — rotate it periodically and never expose it in client-side code.
• Sysadmin is always blocked: Creating a ticket for the system administrator account is explicitly prevented regardless of the trusted password. This is a hardcoded security constraint.
• Ticket privileges: The returned ticket carries the full permissions of the impersonated user. Any subsequent API call using this ticket is indistinguishable from the user having logged in normally.
• Ticket expiry: The created ticket uses the standard 30-day sliding expiration.
• Reduced response: This method returns only ticket on success, unlike AuthenticateUser which also returns userid, username, firstName, lastName, email, expireOn, and isAuthenticated. If profile information is needed, call GetCurrentUser using the returned ticket.
• Transport security: Because TrustedUserPwd grants impersonation of any user, always transmit it over HTTPS. Never pass it in query string parameters in production environments — use POST instead.

Related APIs¶

• AuthenticateUser - Standard username/password login returning full profile info
• AuthenticateUser1 - Standard login with explicit session language
• GetCurrentUser - Retrieve profile information of the currently authenticated user
• LogOut - Invalidate the authentication ticket

Error Codes¶