Request Signing (Digital Signature)
Every API request must include a DigitalSignature header to verify the integrity of the payload. The signature is generated using your Private Key and the RSA-SHA256 algorithm.
To create the signature, you must first construct a single string by concatenating the following five components in order, with no separators:
- Request URL (without query parameters)
- API Key
- Request ID
- Timestamp
- Request Body (the raw, unmodified JSON string, including whitespace)
For example, the string to be signed might look like this:
Components should be appended to the signature string in the order listed above. There should be no white space between components. For requests that contain a body (POST, PUT, etc), the body component should exactly match the body as it appears in the request payload, including white space, etc.
Once you've constructed this string, sign it using RSA-SHA256 with your Private Key and Base64-encode the result. The final signature is the value you provide in the DigitalSignature header.
On this page
- Request Signing (Digital Signature)