This tutorial provides guidance on generating authentication headers.
Authentication in this API is performed using HMAC (Hash-based Message Authentication Code) to ensure the integrity and authenticity of requests.
HMAC
HMAC is an authentication technique that combines a cryptographic hash with a secret key to generate a digital signature of the message.
Authorization Header
To authenticate your requests, you must include an Authorization header in the format API_KEY:NONCE:SIGNATURE.
API_KEY: The API key assigned to the client.NONCE: A unique value used once to prevent replay attacks.SIGNATURE: HMAC signature of the message.
Authentication Process
-
Message Generation
- Concatenate
NONCE, request method (method), request path (path), and request payload (payload) into a single string. - Example:
${NONCE}${method}${path}${payload}.
- Concatenate
-
Signature Calculation
- Use the secret key associated with the
API_KEYto calculate the HMAC of the generated message. - The signature is calculated using a cryptographic hash function, such as SHA-256.
- Use the secret key associated with the
-
Inclusion in Authorization Header
- Format the
Authorizationheader asAPI_KEY:NONCE:SIGNATUREand include it in each request.
- Format the
Example Authorization Generation (Postman)
To illustrate, here's an example of generating the HMAC authorization header using Postman:
const apiKey = pm.variables.get('apiKey');
const secretKey = pm.variables.get('secretKey');
const nonce = Date.now();
const method = pm.request.method;
const path = pm.request.url.getPath();
const payload = pm.request.body.raw ? JSON.stringify(JSON.parse(pm.request.body.raw)) : "";
const message = `${nonce}${method}${path}${payload}`;
const hash = CryptoJS.HmacSHA256(message, secretKey);
const signature = CryptoJS.enc.Hex.stringify(hash);
const authHeader = `${apiKey}:${nonce}:${signature}`;
pm.request.headers.add({key: 'Authorization', value: authHeader});