We recommend you adhere to the following guidelines while you develop your app:
- REST based William Hill API Authentication should be used by mobile apps only and in this case, username and password should not be stored in the device. TGT storage is encouraged instead.
- We strongly recommend you do not store usernames and passwords, but If it is needed, a keychain with the attribute kSecAttrAccessibleWhenUnlockedThisDeviceOnly should be used (or Secure Preferences in Android)
- Connections to the William Hill API must use TLS for channel encryption. The certificate and the keychain provided by the the William Hill endpoints must be properly validated on the client that is connecting to the William Hill API.
- Web apps should perform user authentication using CAS Single Sign-On. See Authentication model.
- Server side services that needs access on behalf of an authenticated user to William Hill API should use the proxy feature from CAS Single Sign-On.
- Mobile apps should call William Hill APIs directly from the device and not use proxy requests through a web server.
- Mobile/Web applications are not allowed to store customer data on their back ends.