API Authentication
Last updated
Was this helpful?
Last updated
Was this helpful?
All HTTP requests sent to the XCover API must be signed with a special signature. The signature must be provided in the Authorization
header. In order to generate signature partners need to have a valid API key and a secret signing key. Please note, a new signature must be generated for every request.
XCover API uses authentication.
To authenticate API request the client application needs to perform the following steps:
Prepare request data for signing.
Sign data using one of the HMAC algorithms such as SHA1
(dprecated), SHA256
, SHA384
or SHA512
algorithms.
Encode the signature using Base64
encoding.
URL encode the result of the previous step.
Prepare Authorization
header containing the Base64 and URL encoded signature string, API Key and the algorithm used, for example hmac-sha512
.
Please note the date string to be signed should be in e.g. Thu, 04 Nov 2021 18:07:11 GMT
The date must be padded e.g. 04.
Please note the signature must be a base64 encoded strictly matching RFC 4648. Some programming languages will URL safe base64 encode which will replace the "+" and "/" characters with "-" and "_" respectively. This will cause a "Signature string does not match!" error.
Below you can see an example code implementing these steps, this code can be used as a pre-request script in Postman.
XCover API offers provides access to staging environment that can be used to test the platform during the integration. To access the sandbox environment partners need to use testing API key that is provided by XCover team.