requst security headers, request security
NOTE:
Read this chapter if you're going to use REST API. If you're going to use SDK library, you may keep going to next artticle.
Navigation:
Security Headers
Each request to MoneyMade Connect User API should contain following protection headers:
-
x-mm-api-key- the API key you received from our developers
-
x-mm-request-timestamp - current time as timestamp (in milliseconds). E.g. for date '2022-04-28T11:02:12.876Z' it equals to 1651143732876
-
x-mm-request-signature - request signature.
Request Signature
To sign a request you need following parameters:
Parameter | Description | Example |
|---|---|---|
request timestamp | Request timestamp you set into x-mm-request-timestamp header. | 1651143732876 |
secret key | The secret key you received from MoneyMade team. | SECRET_KEY_VALUE |
request body | The request body JSON string encoded as base64. | {"client_user_id":"my-internal-id"} |
request url | Full request url. |
Signature Generation Algorithm:
- Concat timestamp + request url+ request body
- Create sha256 HMAC (use secret key as encryption key)
- Transform it to HEX digest
import * as crypto from 'crypto';
export interface SignatureComponents {
secretKey: string;
body: any;
requestUrl: string;
timestamp: number;
}
export const makeSign = (params: SignatureComponents) => {
const { requestUrl, timestamp } = params;
const bodyPayload = params.body ? JSON.stringify(params.body) : '';
const hmacBody = timestamp + requestUrl + bodyPayload;
return crypto
.createHmac('sha256', params.secretKey)
.update(Buffer.from(hmacBody))
.digest('hex');
}
const crypto = require('crypto');
export const makeSign = (params) => {
const { requestUrl, timestamp } = params;
const bodyPayload = params.body ? JSON.stringify(params.body) : '';
const hmacBody = timestamp + requestUrl + bodyPayload;
return crypto
.createHmac('sha256', params.secretKey)
.update(Buffer.from(hmacBody))
.digest('hex');
}