Generate the Signature
Overview
To securely authenticate requests to the API, you must generate a signature using HMAC with SHA-256. The signature is generated using a secret_key and a secret_string, both of which depend on the specific API and the request details.
Obtain the secret_key
- The
secret_keyis provided by the API provider when you create an account or a specific API key. This value should be kept secure and not shared publicly.
Generate the secret_string
- The
secret_stringis a string that is constructed based on the API documentation. - The exact way to generate
secret_stringis detailed in the API documentation for the individual API. Ensure that you follow the correct order and format when combining the request details.
Generate the signature
- The
signatureis generated by applying HMAC using thesecret_keyandsecret_stringas inputs, using SHA-256 as the hashing algorithm. The resulting signature is converted to uppercase.
Example Code
Python
import hmac
import hashlib
# Step 1: Obtain the secret_key and secret_string from API documentation
secret_key = "your_secret_key" # Replace with your actual secret_key
secret_string = "your_generated_secret_string" # Replace with your actual secret_string
# Step 2: Generate the signature using HMAC and SHA-256
signature = hmac.new(
key=secret_key.encode('utf-8'),
msg=secret_string.encode('utf-8'),
digestmod=hashlib.sha256
).hexdigest().upper()
# Step 3: Use the signature in your API request headers
print(signature)
JavaScript (Node.js)
const crypto = require('crypto');
// Step 1: Obtain the secret_key and secret_string from API documentation
const secretKey = "your_secret_key"; // Replace with your actual secret_key
const secretStr = "your_generated_secret_string"; // Replace with your actual secret_string
// Step 2: Generate the signature using HMAC and SHA-256
const signature = crypto.createHmac('sha256', secretKey)
.update(secretStr)
.digest('hex')
.toUpperCase();
// Step 3: Use the signature in your API request headers
console.log(signature);
Java
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
import java.nio.charset.StandardCharsets;
public class HmacSha256Signature {
public static void main(String[] args) throws Exception {
String secretKey = "your_secret_key"; // Replace with your actual secret_key
String secretStr = "your_generated_secret_string"; // Replace with your actual secret_string
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
mac.init(secretKeySpec);
byte[] hmacSha256 = mac.doFinal(secretStr.getBytes(StandardCharsets.UTF_8));
String signature = bytesToHex(hmacSha256).toUpperCase();
System.out.println(signature);
}
private static String bytesToHex(byte[] bytes) {
StringBuilder hexString = new StringBuilder();
for (byte b : bytes) {
hexString.append(String.format("%02x", b));
}
return hexString.toString();
}
}
PHP
<?php
$secret_key = "your_secret_key"; // Replace with your actual secret_key
$secret_string = "your_generated_secret_string"; // Replace with your actual secret_string
$signature = strtoupper(hash_hmac('sha256', $secret_string, $secret_key));
echo $signature;
?>
Go
package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"fmt"
)
func main() {
secretKey := "your_secret_key" // Replace with your actual secret_key
secretStr := "your_generated_secret_string" // Replace with your actual secret_string
h := hmac.New(sha256.New, []byte(secretKey))
h.Write([]byte(secretStr))
signature := hex.EncodeToString(h.Sum(nil))
fmt.Println(strings.ToUpper(signature))
}
Security Considerations
- Always keep the
secret_keyprivate and secure. Do not hard-code it in your code, and do not expose it to the client side. - Ensure that your
secret_stringis constructed exactly as described in the documentation, as even minor changes can result in an invalid signature.
By following these steps, you can securely generate a signature for authentication with any API that uses HMAC with SHA-256. Be sure to consult the API documentation for specific details on constructing the secret_string.