API Authentication
Generation of HMAC, Content MD5 and header for API authentication
Every request to the platform must follow the API Authentication protocol set by Stilt. There are two steps to it
  • It should pass the correct request header with the expected parameter
  • It should generate HMAC for every request before it sends to the Stilt Server, as Stilt will reject all the requests that are not coming with a valid header.

HMAC Generation

HMAC Algorithm requires three components
Name
Type
Description
URL
uri
Content MD5
string
the request's body after removing white-spaces and line-breaks for (according to regex
/(\r\n|\n|\r|\s+)/gm)
The body must then be hashed with MD5 algorithm.
EPOCH
int
Number version of Unix Epoch time: https://www.epochconverter.com/
With these three variables, the platform should generate an HMAC-SHA256 algorithm to create an HMAC value
// Javascript example
body =request.body.toString().replace(/(\r\n|\n|\r|\s+)/gm, '');
md5 = "";
if (body != ""){
md5 = CryptoJS.MD5(body).toString()
}
hmac = CryptoJS.HmacSHA256(url + content-md5 + epoch, key).toString();
A more verbose example of the HMAC creation can be seen on Postman's Collection Pre-Request Script we will provide you to test the APIs. There you can see the HMAC is automatically calculated in runtime for every request sent
For extra security, the HMAC hash will be valid only for 60 seconds. Attempts of using the same HMAC after this time will result in HTTP Status 403: Forbidden

Authentication Header

Using the HMAC method described above platform should add HMAC, Client UUID (Your platform UUID), and EPOCH as a part of the client request.
X_CLIENT_UUID
The UUID received
X_STILT_HMAC
The HMAC as calculated above
EPOCH
Number version of Unix Epoch time: https://www.epochconverter.com/
Content-MD5
Content-MD5 generated as a part of HMAC generation
Any API call without the correct Authentication header will not get a response from Stilt Platform.