To connect to our API’s, all requests must be authenticated. Please follow the guides below to authenticate against our API’s.
Connecting to Site Flow RESTful API’s will require at least TLS 1.2 for all HTTPS connections.
If you need help to ensure that your environment is ready for this you can follow one of these checks.
Site Flow RESTful API’s use an HTTP Authorization header to pass authorization information. Under the Site Flow authorization scheme, the Authorization header has the following form:
Site Flow User accounts are created via the SiteFlow website and are issued with an access token and secret key. For request authorization, the Token element identifies the access key ID that was used to compute the signature and, indirectly, the user and account making the request.
The Signature element is the HMAC SHA256 of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request. If the request signature calculated by the system matches the Signature included with the request, the requester will have demonstrated possession of the Site Flow secret access key. The request will then be processed under the identity, and with the authority, of the developer to whom the key was issued.
Currently both HMAC SHA256 and HMAC SHA1 are supported. However the more secure HMAC SHA256 is recommended.
In addition to the Authorization header the request must also contain a ‘x-oneflow-date’ header which contains the timestamp used in the Signature encryption, and a ‘x-oneflow-algorithm’ header which contains the hash algorithm that was used (i.e. ‘SHA256’). Below is an example of the headers used in the request
Generating The Authorization Request Header
Below are some code examples which generate the `x-oneflow-authorization` header detailed above.
The method in the string to sign is the method used in the RESTful HTTP call, that is, GET/POST/PUT depending on the call being made.
The path is the endpoint path, excluding the Site Flow URL, without url encoding.
For ex, in a call
GET would be the method and
/api/order the path.
// We use the crypto NPM module for encryption of the signature var crypto = require('crypto'); var timestamp = (new Date()).toISOString(); // Note path must be percent decoded var stringToSign = method + " " + decodeURIComponent(path) + " " + timestamp; var hmac = crypto.createHmac("SHA256", secret); hmac.update(stringToSign); var signature = hmac.digest("hex"); var authHeader = token + ":" + signature;
// Required for use HMACSHA256: using System; using System.Security.Cryptography; // Note path must be percent decoded string stringToSign = method + " " + Uri.UnescapeDataString(path) + " " + timestamp; HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret)); byte signatureBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)); string signature = BitConverter.ToString(signatureBytes).Replace("-", "").ToLower(); string authHeader = token + ":" + signature;
<?php // Note path must be percent decoded $stringToSign = strtoupper($method) . ' ' . urldecode($path) . ' ' . $timestamp; $signature = hash_hmac('sha256', $stringToSign, $secret); $authHeader = $token . ':' . $signature; ?>