Authentication

The Onbo API uses API keys to authenticate your requests. You can view and manage your keys under the settings tab in your Onbo Dashboard.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

All API requests must adhere to Onbo's authentication protocol. The authentication protocol involves two steps for every API request:

  1. Generate an HMAC

  2. Set the Authentication Header

API requests made without the correct Authentication Header will not get a response.

Generating an HMAC

The HMAC algorithm requires three components:

url uri The full url of the request, for example https://sandbox-api.stilt.com/v1/users

md5 string The request's body after removing white-spaces and line-breaks (according to regex

/(\r\n|\n|\r|\s+)/gm), which will then be hashed with the MD5 algorithm.

epoch int Number representation of Unix Epoch time

Supply these three components to the HMAC-SHA256 algorithm to create an HMAC value:

body = request.body.toString().replace(/(\r\n|\n|\r|\s+)/gm, '');
md5 = "";
if (body != ""){
    md5 = CryptoJS.MD5(body).toString()
}

hmac = CryptoJS.HmacSHA256(url + md5 + epoch, key).toString();

A more verbose example of the HMAC creation can be seen on Postman's Collection Pre-Request Script, where you can see the HMAC is automatically calculated in runtime before every request. For security purposes, the HMAC hash will only be valid for 60 seconds. Attempting to use an expired HMAC will result in HTTP Status 403: Forbidden.

Authentication Header

Using the HMAC method described above, add the following headers to your request:

X_CLIENT_UUID

Your client ID

X_STILT_HMAC

The HMAC (as generated above)

EPOCH

Number representation of Unix Epoch time

Content-MD5

Content-MD5 (as part of HMAC generation above)

PreviousIntroductionNextPagination

Last updated