REST Request Headers - omnypay/omnypay-platform-api GitHub Wiki

Each API Request must include the following HEADERS:

x-api-key: ${API_KEY}
x-timestamp: ${TIMESTAMP}
x-correlation-id: ${CORRELATION_ID}
x-signature: ${SIGNATURE}

x-api-key

This is the api key assigned to each merchant. It is part of a matched pair of api-key and api-secret that you would get from Omnyway. The api-secret is used in creating the HMAC Signature described below.

x-timestamp

The unix EPOCH in seconds. In Javascript:

var timestamp = Math.floor(new Date().getTime() / 1000);

x-correlation-id

A unique alhpanumeric value for each "Session" Convention is to prefix the Correlation-ID with something useful, related to the usecase. Primarily to differentiate between production data, test data, use case or health check.

For example, this is the template for requests from our Runscope Smoke Tester:

RUNSCOPE-{{random_int(111111111,999999999)}}

x-signature

This is an HMAC SHA256 signature calculated from many of the elements of the API Request.

Input elements of the Signature:

  • apiSecret - The Secret portion of the api-key / api-secret
  • requestMethod - Request Method. This should be "GET", "POST", "PUT" etc.
  • timestamp - Unix Epoch in Seconds at the time of making the call
  • apiKey - The api-key described earlier
  • urlPath - The Path component of the URL. I.E. the part after the host:port
  • correlationId - The correlation id as described earlier
  • payload - The body of the request as exactly as it will be sent

Example Javascript implementation

You will need to modify this to fit your application. The main thing is to take all the inputs as described above, pass it thru the function below (or your own implementation in any other language). And the result of the funciton is what you would set the header x-signature with.

The CryptoJS functions can be found at https://github.com/brix/crypto-js and https://cdnjs.com/libraries/crypto-js

function generateSignature(apiSecret,
                           requestMethod,
                           timestamp,
                           apiKey,
                           urlPath,
                           correlationId,
                           payload)
{
    var stringToHash = [apiKey,
                        timestamp,
                        correlationId,
                        requestMethod.toUpperCase(),
                        urlPath,
                        payload].join(""),
        pass1 = CryptoJS.HmacSHA256(stringToHash, apiSecret),
        hash = CryptoJS.enc.Hex.stringify(pass1);
    console.debug("stringToHash: " + stringToHash);
    console.debug("hash: " + hash);
    return hash;
}