The SafeSend Web add-in authenticates the sender with the mail server and validates the sender domain against the SafeSend licensed domains. This article explains how the Web add-in authenticates with Microsoft 365 and Microsoft Exchange.

SafeSend Web Add-in Authentication Diagram

1. When you send an email, the SafeSend web add-in receives an access token which is issued by Microsoft 365 or Exchange
   • When Outlook reads safesend-manifest.xml and applies the specified controls in the UI, it then loads the Javascript and HTML. The web components all run in the context of a browser in a sandbox.
2. Calls to the endpoints listed below require a valid token (either issued from the provider specified in the EmailProviderUrl setting of the settings.json file or from SafeSend)
   • HTTP POST api/login
     • Calls to the login endpoint require a valid Microsoft 365/Exchange access token issued from the respective provider to create a SafeSend access token
     • The provided token is used to query the email domain from the EmailProviderURL setting and only domains specified in the LicenseKey setting are authorized; any attempts with an invalid token or an unlicensed domain will produce an Unauthorized (401) response
   • HTTP POST api/settings/platform
     • Calls to settings endpoint do not require a token
   • HTTP POST api/mail
     • Calls to mail endpoint require a valid SafeSend access token issued by SafeSend
   • HTTP PATCH api/mail
     • Calls to settings endpoint require a valid SafeSend access token issued by SafeSend
   • HTTP POST api/mail/dlp/{connectionId}
     • Calls to settings endpoint require a valid SafeSend access token issued by SafeSend
   • HTTP DELETE api/mail/dlp
     • Calls to settings endpoint require a valid SafeSend access token issued by SafeSend
3. Your chosen platform (Microsoft 365 or Exchange) will return basic information like email addresses, allowing VIPRE to know who the access token owner is