The value of the Date HTTP header is used as part of the request signing process to enforce the temporary state of signed requests. For this reason, the system clock on the client and server sides must be synchronized, up to an allowed time skew of ±30 seconds.
If the server receives an API request with a Date header value that represents more than 30 seconds of time difference (either before or after the server clock), the request will not be accepted.
In order to send authenticated API requests you are required to send the X-Zend-Signature HTTP header with each request. It must be in the following format:
X-Zend-Signature: <key name>; <signature>
Where <key name> is replaced with the key name, and <signature> is replaced with the calculated request signature.
There can be any number of whitespace characters before or after the separating semicolon.
|
Example:
|
Note: The signature is expected to be 64 characters long, and is cut here for readability purposes. |
The request signature is a 64 digit long hexadecimal number with digits a-f in lower case, calculated using the following method:
|
To create a signature:
|
|
|
When sending the following API request:
Using a key named “angel.eyes” with the following value:
The request parameters to be signed, concatenated into a string is:
From this value, an HMAC/SHA-256 signature will be calculated using the API key. For example using the hash_hmac() PHP function:
The final request, including the added X-Zend-Signature header, is (lines are broken for readability):
|
The server then proceeds to generate the same signature, based on the same data and same secret key. If the two signatures match, the request will be accepted. |