Authorization - niko-technologies/cards-open-api-docs GitHub Wiki

General overview

Requests are authorized by adding Authorization header with Bearer token with your public key value.

All non-GET requests should be verified by adding signature to headers.

Signature added to the X-Signature header and is generated depends on data of the request and your secret key.

• Example of GET request w/o signature:

GET /v1/cards

Authorization: Bearer {{YOUR_PUBLIC_KEY}}

The signature is not required, because no data will be changed or created during GET request, so we don't have to validate the request body and params.

• Example of non-GET request with signature:

POST /v1/cards/order

Authorization: Bearer {{YOUR_PUBLIC_KEY}}
X-Signature: {{CALCULATED_SIGNATURE}}
Content-type: application/json

{
  "cardType": "VIRTUAL",
  "firstName": "First name",
  "lastName": "Last name"
}

Creating signature

Signature is created using SHA256 HMAC (hash-based message authentication code) encoded in base64 format.

Example of creating signature in Node.js:

const { createHmac } = require('crypto');

const secretKey = 'YOUR_SECRET_KEY';

const data = {
  cardType: 'VIRTUAL',
  firstName: 'First name',
  lastName: 'Last name',
};

const signature = createHmac('sha256', secretKey)
  .update(JSON.stringify(data), 'utf8')
  .digest('base64');

console.log(signature); // kOxaXxoX0a8flTz3BkisKvDbonAEaLG2saQ/DXdeKkY=