Saby API

Authenticate using the API

Authenticate using the API

Saby Authentication can be processed using the employee's electronic signature or with your username and password.

If authentication is successful, the user is returned a string with the session ID. It must be passed to the server when each command is executed.

By certificate
By login/password
  1. Run the command «СБИС.СписокСертификатовДляАутентификации» to check certificates that allow authentication.
  2. Select certificate. Using the «СБИС.АутентифицироватьПоСертификату» log in to your personal account. The response returns the session ID, which is encrypted to the address of the selected certificate.
  3. Decrypt the session ID using any certified means of cryptographic protection of information. The encrypted session is transmitted as a «ContentInfo» structure with the «EnvelopedData» structure as its content. The session ID is encrypted to the public key address of the certificate that is used for authentication. An example can be found on the CryptoPro website.
  4. Work in your personal account and execute other API commands.
  1. Run the command «СБИС.Аутентифицировать». Pass the username/password from your personal account there. The response returns the session ID.
  2. Work in your personal account and execute other API commands.

When executing HTTP requests, specify the session ID as the value of the HTTP header «X-SBISSessionID». The exception is the «СБИС.Аутентифицировать», «СБИС.АутентифицироватьПоСертификату» and «СБИС.СписокСертификатовДляАутентификации».

Example of an HTTP request header with the session ID

Content-Type: application/json-rpc;charset=utf-8
X-SBISSessionID: 0000ea78-0000ea79-00ba-d3b85272bc0c4842

If there are no requests to the server, the session ID is forcibly canceled after 24 hours. The maximum «lifetime» of the ID is 7 days from the moment of authentication.

To end the session and terminate the exchange session, call the «СБИС.Выход» function.

The authentication procedure must be performed once per session. The resulting ID can be used repeatedly to execute other commands in this session. If you receive a 401 (Unauthorized) status code in response to an HTTP POST/GET request, authenticate again and repeat the request.


If the authentication method is performed more than 300 times per minute, the system will block access to the IP address for 20 minutes.


The «Exchange with partners» and «Implementation of EDI» tariffs of «Electronic Document Flow» service.

Нашли неточность? Выделите текст с ошибкой и нажмите ctrl + enter.