Access to Luminate Online Web Services is restricted in the following ways:

1. The server only accepts secure (SSL) connections.
2. The server only accepts connections from known IP addresses that are on a web services "white list."
3. The user name in a login request must be associated with an active constituent that has administrator status
4. The constituent associated with the user name must be a member of an administrator security group that has the "Use Luminate Online APIs" permission.
5. The password in a login request must be valid for the constituent.

A successful login returns a SessionId token in the response. All other types of requests are authenticated by included a valid session token in the header of the request. For example:

<?xml version='1.0' encoding='UTF-8' ?>
<soap:Envelope xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'>
  <soap:Header>
    <Session xmlns='urn:soap.convio.com'>
      <SessionId>e5d267b7c09382fd3c8b97aa75e61ad5ecc3e38d:JSESSIONID=abcu_AmzmlABt8amexGfs:10000100:1:2009-05-20T23:30:08.223Z</SessionId>
    </Session>
  </soap:Header>
  <soap:Body>
    <GetServerTime xmlns='urn:soap.convio.com'>
    </GetServerTime>
  </soap:Body>
</soap:Envelope>

A session token is valid for up to 30 minutes of inactivity.