/
Authorizing Provisioning API Requests
Document toolboxDocument toolbox

Authorizing Provisioning API Requests

Owned by Former user (Deleted)
Last updated: Apr 08, 2025 by Virginia Camuñas Núñez
[ 1 Authorization header ] [ 1.1 Authorization for common domains ] [ 1.2 Authorization for multitenant domains ] [ 1.3 Creating the signature using cURL ] [ 1.4 Creating the signature using JavaScript ] [ 1.5 Creating the signature using Python ] [ 1.6 Creating the signature using Java ] [ 1.7 Creating the signature using C# ] [ 2 Signature error ]

Authorization header

The authorization process varies depending if youre working with common or multitenant domains. Check the process for each case below:

Authorization for common domains

To authorize your requests for common domains, add a standAloneToken header to your API request that contains a valid token.

You can generate this token in the Administration Credentials Authentication tokens area of Devo. Click Create token and choose any token type (currently, any type is valid for this API). Give your token a name, enter the authorized user and required target data tables you want to work with, and click Create to generate it.

Token permissions

Note that the actions you can perform when you authorize your API access using a token are the ones you can perform according to your role permissions in Devo.

image-20240917-134444.png

The generated token will appear in the same area, in the table below. Click its name and copy the token value from the details window that appears. Learn more about tokens in Devo in Authentication tokens.

The following is a Provisioning API request for common domains in cURL language authorized with the corresponding header:

curl -H "standAloneToken:YOUR_TOKEN" -X GET "https://api-us.devo.com/probio/user/email/user@devo.com"

Authorization for multitenant domains

Provisioning API requests for multitenant domains must be authorized using an HMAC256 signature. The headers required to authorize your requests are:

Header

Description

Header

Description

x-logtrust-timestamp

The request timestamp, as an epoch in milliseconds.

x-logtrust-sign

The request HMAC signature. The value for x-logtrust-sign is the result of encoding the string concatenation of the API key, the body (if any), and the timestamp provided (in this order) with the HMAC256 algorithm, using the common or multitenant domain API secret.

x-logtrust-domain-apikey

The multitenant domain API key.Learn more about Devo access keys (API key and API secret) in Security credentials.

x-logtrust-reseller-apikey

The multitenant API key. Contact us to get the API key required for multitenant management.

Check below some signature examples:

 

Creating the signature using cURL

curl --request POST \ --url https://api-xx.devo.com/probio/operation \ --header 'Content-Type: application/json' \ --header 'cache-control: no-cache' \ --header 'x-logtrust-reseller-apikey: apikey' \ --header 'x-logtrust-timestamp: timestamp' \ --header 'x-logtrust-sign: calculated_signature' \ --data '{"data": "data"}'

 

Creating the signature using JavaScript

This requires the CryptoJS library.

var apiKey = 'my-api-key'; var apiSecret = 'my-api-secret'; var timestamp = new Date().getTime(); var hmacObject = CryptoJS.HmacSHA256(apiKey + body + timestamp, apiSecret); var hmacString = hmacObject.toString(CryptoJS.enc.Hex);

  • The body value can be null if no body is included.

  • The timestamp value is the same as the one included in thex-logtrust-timestamp header (an epoch in milliseconds).

  • The hmacString value is the final signature value to be sent.

 

Creating the signature using Python

import time import hmac import hashlib api_key = 'my-api-key' api_secret = 'my-api-secret' timestamp = str(int(time.time()) * 1000) sign = hmac.new(bytes(api_secret, 'utf-8'), bytes(api_key + data + timestamp, 'utf-8'), hashlib.sha256) sign = sign.hexdigest()

  • Thedatavalue can benullif the request has no content.

  • Thetimestampvalue generates a timestamp in milliseconds, as required by thex-logtrust-timestampheader.

 

Creating the signature using Java

This requires the javax.crypto library.

public String getSignature(String apiKey, String secret, String ts, String body) { String src = body != null ? apiKey + body + ts : apiKey + ts; Mac sha256HMAC = Mac.getInstance("HmacSHA256"); SecretKeySpec secretKey = new SecretKeySpec(secret.getBytes(), "HmacSHA256"); sha256HMAC.init(secretKey); return Hex.encodeHexString(sha256HMAC.doFinal(src.getBytes())); }

 

Creating the signature using C#

using System.Security.Cryptography; using System.Text; namespace Devo {     class Program     {         public void getSignature()         {             String key = "my-api-key";             String secret = "my-api-secret";             String body = "";             // HMAC-SHA256 signature             String unixTimestamp = (DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalMilliseconds.ToString();             unixTimestamp = unixTimestamp.Substring(0, unixTimestamp.IndexOf("."));             String data = key + body + unixTimestamp;             byte[] byteArrayData = Encoding.UTF8.GetBytes(data);             byte[] byteArraySecret = Encoding.UTF8.GetBytes(secret);             var hash = new HMACSHA256(byteArraySecret);             byte[] byteSigned = hash.ComputeHash(byteArrayData);             var hexString = BitConverter.ToString(byteSigned);             String sign = hexString.Replace("-", "").ToLower();       }       public static void Main(string[] args)        {            Program p = new Program();             p.getSignature();       }     }     }

Signature error

If the signature is not properly configured, the response will include the following error:

{ "error": { "code": 12, "message": "Invalid signature validation" } }

If you get this error, check that your request includes all the necessary headers, that you are not trying to access a multitenant endpoint with domain credentials (or vice versa), and that all the specified values are correct.