Document toolboxDocument toolbox

Authorizing Provisioning API Requests

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: Nov 27, 2024 by Alvaro de la Serna Martinez
3 min read
[ 1 Authorization header ] [ 1.1 Authorization for common domains ] [ 1.2 Authorization for multitenant domains ] [ 2 Signature error ]

Authorization header

The authorization process varies depending if you’re working with common or multitenant domains. Check the process for each case below:

Authorization for common domains

To authorize your requests for common domains, add a standAloneToken header to your API request that contains a valid token.

You can generate this token in the Administration → Credentials → Authentication tokens area of Devo. Click Create token and choose any token type (currently, any type is valid for this API). Give your token a name, enter the authorized user and required target data tables you want to work with, and click Create to generate it.

Token permissions

Note that the actions you can perform when you authorize your API access using a token are the ones you can perform according to your role permissions in Devo.

image-20240917-134444.png

The generated token will appear in the same area, in the table below. Click its name and copy the token value from the details window that appears. Learn more about tokens in Devo in Authentication tokens.

The following is a Provisioning API request for common domains in cURL language authorized with the corresponding header:

curl -H "standAloneToken:YOUR_TOKEN" -X GET "https://api-us.devo.com/probio/user/email/user@devo.com"

Authorization for multitenant domains

Provisioning API requests for multitenant domains must be authorized using an HMAC256 signature. The headers required to authorize your requests are:

Header

Description

Header

Description

x-logtrust-timestamp

The request timestamp, as an epoch in milliseconds.

x-logtrust-sign

The request HMAC signature. The value for x-logtrust-sign is the result of encoding the string concatenation of the API key, the body (if any), and the timestamp provided (in this order) with the HMAC256 algorithm, using the common or multitenant domain API secret.

x-logtrust-domain-apikey

The multitenant domain API key. Learn more about Devo access keys (API key and API secret) in Security credentials.

x-logtrust-reseller-apikey

The multitenant API key. Contact us to get the API key required for multitenant management.

Check below some signature examples:

curl --request POST \ --url https://api-xx.devo.com/probio/operation \ --header 'Content-Type: application/json' \ --header 'cache-control: no-cache' \ --header 'x-logtrust-reseller-apikey: apikey' \ --header 'x-logtrust-timestamp: timestamp' \ --header 'x-logtrust-sign: calculated_signature' \ --data '{"data": "data"}'

This requires the CryptoJS library.

var apiKey = 'my-api-key'; var apiSecret = 'my-api-secret'; var timestamp = new Date().getTime(); var hmacObject = CryptoJS.HmacSHA256(apiKey + body + timestamp, apiSecret); var hmacString = hmacObject.toString(CryptoJS.enc.Hex);

  • The body value can be null if no body is included.

  • The timestamp value is the same as the one included in the x-logtrust-timestamp header (an epoch in milliseconds).

  • The hmacString value is the final signature value to be sent.

  • The data value can be null if the request has no content.

  • The timestamp value generates a timestamp in milliseconds, as required by the x-logtrust-timestamp header.

This requires the javax.crypto library.

Signature error

If the signature is not properly configured, the response will include the following error:

If you get this error, check that your request includes all the necessary headers, that you are not trying to access a multitenant endpoint with domain credentials (or vice versa), and that all the specified values are correct.