The following header elements are applicable if using HMAC Authorization.
| Name | Required/Optional | Description |
|---|---|---|
content-type | Required | Content type of the API call (e.g., application/json). Note: For a GET API call, content-type should not be passed as a header as it does not apply. |
x-api-date | Required | Date string for the request. Must be in the format yyyy-MM-dd HH:mm:ss zzzz (e.g., 2018-10-10 22:57:40 -05:00). Requests with a date older than 120 seconds will be rejected. If this header is not set, the default header date will be used and converted for comparison. |
x-api-key | Required | Key identifier string for the calling client application. Provided by service support during initial API setup. |
x-api-signature | Required | Base64 encoded string of the calculated HMAC SHA1 hash. See below for details on how to calculate. |
x-api-clientname | Optional | If the API account has cross-client access, this header can be used to specify the Client Name for the connection. Not required for accounts with single client access. |
Generating HMAC SHA1 Hash for x-api-signature:
x-api-signature:First create a string of the following items (concatenated without any spaces in between):
- HTTP Method Verb used in REST API call. Ex: POST, PUT, GET, etc.... Use UPPER case.
- Content Type Should match the value used in the header for content-type. If content-type was not included as a header (in the GET scenario), use an empty string for this value.
- Request Date Should match the date string used in the header for x-api-date.
- Request URI Should be the URI path and query of the API call. Note this does not include the host name. Ex. /OrigamiApi/api/Webhook/GetHandlers
- Secret Key An additional secret key will be provided to the calling application during the initial API setup. This key is never to be sent separately in any API calls as a header element but is used in generating the signature.
Take the concatenated string above as the "input" and create a HMAC SHA1 Hash using the x-api-key and then encode the result as a Base64 string.
Below is an example of a C# method to create a HMAC SHA1 hashed string. In this example the input would be the concatenated string value and the key would be the x-api-key value.
public static string GetHMACSHA1(string input, string key)
{
using (var hmac = new HMACSHA1(Encoding.ASCII.GetBytes(key)))
{
byte[] buffer = Encoding.ASCII.GetBytes(input);
return System.Convert.ToBase64String(hmac.ComputeHash(buffer));
}
}public static string GetHMACSHA1(string input, string key)
{
using (var hmac = new HMACSHA1(Encoding.ASCII.GetBytes(key)))
{
byte[] buffer = Encoding.ASCII.GetBytes(input);
return System.Convert.ToBase64String(hmac.ComputeHash(buffer));
}
}function getHMACSHA1($input, $key) {
$hash = hash_hmac('sha1', $input, $key, true);
return base64_encode($hash);
}
// Example usage:
echo getHMACSHA1("message", "secret");import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
public class HMACSHA1Example {
public static String getHMACSHA1(String input, String key) throws Exception {
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes("ASCII"), "HmacSHA1");
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(signingKey);
byte[] rawHmac = mac.doFinal(input.getBytes("ASCII"));
return Base64.getEncoder().encodeToString(rawHmac);
}
public static void main(String[] args) throws Exception {
System.out.println(getHMACSHA1("message", "secret"));
}
}const crypto = require('crypto');
function getHMACSHA1(input, key) {
const hmac = crypto.createHmac('sha1', key);
hmac.update(input, 'ascii');
return hmac.digest('base64');
}
// Example usage:
console.log(getHMACSHA1("message", "secret"));require 'openssl'
require 'base64'
def get_hmac_sha1(input, key)
hmac = OpenSSL::HMAC.digest('sha1', key, input)
Base64.strict_encode64(hmac)
end
# Example usage: