The REST API is used as a communication interface for the web-clients and devices. On this interface, the client Apps are able to send requests to the server. e.g. (Installation, Registration, Screen Thumbnails...).
For sending commands and real-time notifications e.g.(Loadpage, Settime...) to the devices, the server implements a subscription-based communication protocol (STOMP) over a WebSocket transport layer.
When the Client application starts it uses the REST API to register itself on the server. If the registration was successful, the device builds up the WebSocket channel and listens for incoming messages.
The authorization protocol between the server and the front-end (Management User Interface) is based on the OAuth2 standard. With this protocol, the device requests a token during the login and places this token in the authorization header in every request thereafter.
All communication is secured over the HTTPS protocol (WSS in the case of WebSocket).