Signature of API requests

To secure exchanges between application and Iswigo, all API requests must be signed.

Overview

The signature must be insert into an HTTP header X-Iswigo-Signature. Signature value is SHA256 digest of concatenation of:

• Secret key of your application
• HTTP request method in lower case
• Path of request with query string part (without schema and host)
• Body content

Elements of concatenation must be separate with "+" character.

If client or secret key are invalid, the HTTP status error will be Client or secret key is invalid.

Example

NodeJS example

let signatureData = [
        APPLICATION_SECRET_KEY,
        request.method.toLowerCase(),
        request.url.path,
        request.body || ''
    ].join('+')
let signature = '$5$' + CryptoJS.SHA256(signatureData)

PHP 7 example (with PSR-7)

use Psr\Http\Message\RequestInterface;

function getRequestSignature(RequestInterface $request, string $secretKey): string
{
    return
        '$5$'
        . hash(
            'sha256',
            $secretKey
            . '+' . strtolower($request->getMethod())
            . '+' . $request->getUri()->getPath() . ($request->getUri()->getQuery() ? sprintf('?%s', $request->getUri()->getQuery()) : '')
            . '+' . $request->getBody()
        );
}