Client

The HTTP client signs the request by adding the following HTTP headers:

X-Authorization :
X-Authorization-Timestamp :
X-Authorization-Content-SHA256 : (if Content-Length > 0)

The HTTP client must add the following HTTP Header to the request:

X-Authorization Header

This header contains the authorization metadata and the HMAC signature used by the server to authenticate requests. See “Generating the Request Header and Signature” for detailed instructions on how to generate this header.

X- Authorization-Timestamp Header

A Unix timestamp (integer seconds since Jan 1, 1970 UTC). Required for all requests. If this value differs by more than 900 seconds (15 minutes) from the time of the server, the request will be rejected.

For example: 2023-07-10T01:36:14.891Z

X-Authorization-Content-SHA256 Header

The base64 encoded SHA-256 hash value used to generate the signature base string. This is analogous to the standard Content-MD5 header. Required for any request where Content-Length is not 0 (for example, a POST request with a body).

Server

If the server authenticates the request successfully, it will add the following HTTP headers to the response (for all non-HEAD requests):

X-Server-Authorization-HMAC-SHA256:

X-Server-Authorization-Content-SHA256 Header

The server authorization is a base64 encoded binary HMAC-SHA256 digest of hashed response body, nonce and timestamp which is described in detail in the next section.