X-API-Auth failure: not authorized answer

Ask the Experts and Postman Tips
,
1

I have this instruction:
API Key authentication

Each API Key comes with an API Secret used to sign the messages you send.

To authenticate, you must add to your request the header X-API-Auth containing the API Key and a message signature:

So I added to the Header a Key named X-API-Auth, with value key split by comma and secret code as for example key_xyz,secret_abc

Details (like screenshots):

image
image1023×393 27.4 KB

How I found the problem:
the answer I got is

"timestamp": "2022-11-01T11:44:34.502+00:00",
"status": 401,
"error": "Unauthorized",
"path": "/v1/devices"

I’ve already tried:

to use inheriting-authorization, no auth, API key, but failing

2

Does the documentation say where this needs to be added.

The header, or the body?

3

Does the doc also state how the value is signed?

4

as I wrote in the question, To authenticate, you must add to your request the header X-API-Auth containing the API Key and a message signature…

So to the header

5

good question!
this what I have found:

To authenticate, you must add to your request the header X-API-Auth containing the API Key and a message signature:

X-API-Auth: <your-api-key>:<request-hmac-512-authentication-code>

The authentication code of the request is computed by applying a HMAC_SHA512 on the request you’re about to send to the server. The message to authenticate has to respect the following specification (in pseudo code):

messageToSign = HttpMethod + '\n'
                  RelativePath + '\n'
                  CanonicalQuery + '\n'
                  Body + '\n'
                  Timestamp

where:

  • HttpMethod: Can be either GET, POST or PUT, mandatory in all requests
  • RelativePath: is a canonical url stripped of the base path, i.e. if you request https://...test.com/v1/devices that would be /v1/devices, ** mandatory** in all requests
  • CanonicalQuery: the encoded query, to be provided only if there is a query, for example:
property=temperature&since=1286705410000
  • Body: the exact json body to be sent, to be provided only if there is a body to send
  • Timestamp: in milliseconds. If provided, the request will only be valid for 60 seconds after this timestamp. It also has to be provided in the header in X-API-Timestamp.

This message is then authenticated using HMAC_SHA512 and its result base64 encoded. The final result is what we previously called request-hmac-512-authentication-code, or in short a “signature”.

So it looks like a token request…

6

So if it needs to be signed with HMAC Sha512 then you will need some code in the pre-req script.

There are Postman examples here (collection called “Encrypt parameters using CryptoJS”):
https://www.postman.com/postman/workspace/postman-answers/collection/18070393-66f7caac-3005-44b2-8620-16dfb64a35f4?action=share&creator=22617629

But I also found this that could be what you need (with a few tweaks):