Document toolboxDocument toolbox

Authorizing Provisioning API requests

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022

All Provisioning API requests must be authorized using an HMAC256 signature. The headers required to authorize your requests are:

HeaderDescription
x-logtrust-timestampThe request timestamp, as an epoch in milliseconds.
x-logtrust-signThe request HMAC signature. The value for x-logtrust-sign is the result of encoding the string concatenation of the API key, the body (if any), and the timestamp provided (in this order) with the HMAC256 algorithm, using the common or reseller domain API secret.
x-logtrust-domain-apikeyThe domain API key (only for common domain requests). Learn more about Devo access keys (API key and API secret) in Security credentials.
x-logtrust-reseller-apikeyThe reseller API key (only for reseller requests). Contact us to get the API key required for reseller management.

The following is an example of a signature including all the required headers, using cURL:

curl --request POST \
 --url https://api-xx.devo.com/probio/operation \
 --header 'Content-Type: application/json' \
 --header 'cache-control: no-cache' \
 --header 'x-logtrust-reseller-apikey: apikey' \
 --header 'x-logtrust-timestamp: timestamp' \
 --header 'x-logtrust-sign: calculated_signature' \
 --data '{"data": "data"}'

Creating the signature using JavaScript

This requires the CryptoJS library.

createSignature.js
var apiKey = 'my-api-key';
var apiSecret = 'my-api-secret';
var timestamp = new Date().getTime(); 
var hmacObject = CryptoJS.HmacSHA256(apiKey + body +  timestamp, apiSecret);
var hmacString = hmacObject.toString(CryptoJS.enc.Hex);
  • The body value can be null if no body is included.
  • The timestamp value is the same as the one included in the x-logtrust-timestamp header (an epoch in milliseconds).
  • The hmacString value is the final signature value to be sent.

Creating the signature using Python

import time
import hmac
import hashlib

api_key = 'my-api-key'
api_secret = 'my-api-secret'
timestamp = str(int(time.time()) * 1000) 

sign = hmac.new(bytes(api_secret, 'utf-8'), bytes(api_key + data + timestamp, 'utf-8'), hashlib.sha256)
sign = sign.hexdigest()
  • The data value can be null if the request has no content.
  • The timestamp value generates a timestamp in milliseconds, as required by the x-logtrust-timestamp header.

Creating the signature using Java

This requires the javax.crypto library.

CreateSignature.java
public String getSignature(String apiKey, String secret, String ts, String body) {
  String src = body != null ? apiKey + body + ts : apiKey + ts;
  Mac sha256HMAC = Mac.getInstance("HmacSHA256");
  SecretKeySpec secretKey = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
  sha256HMAC.init(secretKey);
  return Hex.encodeHexString(sha256HMAC.doFinal(src.getBytes()));
}

Creating the signature using C#

using System.Security.Cryptography;
using System.Text;


namespace Devo
{
    class Program
    {
        public void getSignature()
        {
            String key = "my-api-key";
            String secret = "my-api-secret"; 
            String body = "";

            // HMAC-SHA256 signature
            String unixTimestamp = (DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1))).TotalMilliseconds.ToString();
            unixTimestamp = unixTimestamp.Substring(0, unixTimestamp.IndexOf("."));
            String data = key + body + unixTimestamp;
            byte[] byteArrayData = Encoding.UTF8.GetBytes(data);
            byte[] byteArraySecret = Encoding.UTF8.GetBytes(secret);
            var hash = new HMACSHA256(byteArraySecret);
            byte[] byteSigned = hash.ComputeHash(byteArrayData);
            var hexString = BitConverter.ToString(byteSigned);
            String sign = hexString.Replace("-", "").ToLower();
        }

        public static void Main(string[] args)
        {
            Program p = new Program();
            p.getSignature();
        }
    }     
}

Signature error

If the signature is not properly configured, the response will include the following error:

{
  "error": {
    "code": 12,
    "message": "Invalid signature validation"
  }
}

If you get this error, check that your request includes all the necessary headers, that you are not trying to access a reseller endpoint with domain credentials (or vice versa), and that all the specified values are correct.