The API uses URL signing for securing requests. Below is an overview of how to use the x-tu-authorization header for secure communication._
An example of a normal HTTP will have the following headers:
Accept: application/json; charset=utf-8
x-tu-authorization: protocol:TU1,accesskey:8ZBZY9VXRD4N6ZKUKM87,signedheaders:Content-Type;User-Agent;X-tu-date,signature:48d2c3b1ad24e04687235a80e859e38326e25e171ea0985a67032b19c28269ce
X-tu-date: 2016-03-29T14:18:56.557+0200
User-Agent: java-test-case
Host: localhost:8080
Content-Type: application/json; charset=utf-8
x-tu-authorization Header Structure
The x-tu-authorization header consists of four parts, each separated by commas. All parts are mandatory.
These parts are namely consist of:
- Protocol:
The signing protocol used. Currently, only TU1 (Hmac SHA256 algorithm) is supported. - accesskey:
The API access key that the service will use to identify your request for signature matching. - signedheaders: A list of request headers used when constructing the signature.
- signature:
The calculated signature.
An example of this is as per below:
protocol:TU1,accesskey:8ZBZY9VXRD4N6ZKUKM87,signedheaders:Content-Type;User-Agent;X-tu-date,signature:48d2c3b1ad24e04687235a80e859e38326e25e171ea0985a67032b19c28269ce
Note:
To generate the signature included in the
x-tu-authorization header, a Java example is provided.
This ensures that your request is securely signed and can be validated by the server(see the relevant section of your implementation for details on how to calculate this signature)
Below is a code example for generating the signature for `x-tu-authorization header.
The code contains an example for both Java and C# languages:
static byte[] HmacSHA256(String data, byte[] key) throws SigningException {
String algorithm="HmacSHA256";
Mac mac;
try {
mac = Mac.getInstance(algorithm);
mac.init(new SecretKeySpec(key, algorithm));
return mac.doFinal(data.getBytes("UTF8"));
} catch (NoSuchAlgorithmException | InvalidKeyException | IllegalStateException | UnsupportedEncodingException e) {
throw new SigningException(e);
}
}
static byte[] getSignatureKey(String secretKey, String contentType , String userAgent , String tuDate) throws SigningException {
byte[] kSigning;
try {
kSigning = secretKey.getBytes("UTF8");
kSigning = HmacSHA256(contentType, kSigning);
kSigning = HmacSHA256(userAgent, kSigning);
kSigning = HmacSHA256(tuDate, kSigning);
return kSigning;
} catch (UnsupportedEncodingException e) {
throw new SigningException(e);
}
}
public static void main(String[] args) throws Exception {
byte[] signature = getSignatureKey("9kyJBe5ps1yaYpDKuJ/Jud293f*hy/J*aQ/Mq54f", "application/json; charset=utf-8" , "java-test-case" , "2016-03-29T14:18:56.557+0200");
System.out.println(Hex.encodeHexString(signature));
static byte[] HmacSHA256(String data, byte[] key)
{
String algorithm = "HmacSHA256";
KeyedHashAlgorithm kha = KeyedHashAlgorithm.Create(algorithm);
kha.Key = key;
return kha.ComputeHash(Encoding.UTF8.GetBytes(data));
}
static byte[] getSignatureKey(String key, String contentType, String userAgent, String tuDate)
{
byte[] kSigning = Encoding.UTF8.GetBytes(key).ToCharArray());
kSigning = HmacSHA256(contentType, kSigning);
kSigning = HmacSHA256(userAgent, kSigning);
kSigning = HmacSHA256(tuDate, kSigning);
return kSigning;
}