Authorization
Authorization is done using the Authorization header. The Authorization header consists of a signature for the request.
To generate the signature, you require an API key.
API key
The API key can be requested on the control panel.
In the settings menu you will be able to manage the api keys and ip restrictions.
Consists of two parts:
| id | A unique value which identifies the secret. This is the public part of the api key. |
| secret | Will be used to sign requests. It is critical that the secret is NEVER exposed. This is why only the user to whom the key belongs, can see the secret. This is the private part of the api key. |
The authorization header
Consists of two parts:
- Authentication scheme: hmac
-
Authentication parameter: apikey.id:signature:nonce:timestamp
A concatenated string of the apikey's id, the generated signature, the nonce and the timestamp of the request separated by a colon.apikey.id The public part of the apikey. signature A generated signature using the private part (secret) of the apikey. nonce A unique value generated by the client. Each request passes a different nonce, otherwise the request will fail. timestamp A Unix timestamp. Time represented as a running total of seconds starting at the Unix Epoch (on January 1st, 1970 at UTC).
Possible errors:
| Errorcode | HTTP statuscode | Description |
|---|---|---|
| auth_header_missing | 400 | There is no authorization header in the request. |
| auth_header_invalid | 400 | The authorization header isn't correctly formatted. |
| replay_request | 401 | The request reuses a known nonce. |
| request_invalid_signature | 401 | The request authorization fails. The signature is invalid. |
| auth_service_unavailable | 503 | The authentication service is currently unavailable. Retry later. |
Pseudo code generation of the Authorization header
var content = "";
if (not empty request body) {
content = base64 encoded md5 hash of request body;
}
var nonce = "a unique string value has to be used here";
var unixts = Utc(Now) - Utc(1970-01-01 00:00:00.000); // in seconds
var valueToSign =
apikey.id +
lowercased request method +
urlencoded lowercased request path and querystring +
unixts +
nonce +
content;
var signedValue = sha256 hashed valueToSign using the apikey's secret;
var signature = base64 encoded signedValue;
var authorizationHeaderValue =
"hmac " + apikey.id + ":" + signature + ":" + nonce + ":" + unixts;