Security and Authentication

Headers

HeadersDescription

X-Partner-Id

This is provided to the partner in essence of being the ‘username’ when partner is registered to this service, this is partner ID is usually stored as reference and not secured.

X-Api-Key

This is a secured key generated for each partner to allow authorization to implement requests.

Authorization

A generated JWT token that is unique to each request to securely validate an appropriate request. Sample as “Bearer {{jwt}}”. Using the "Bearer" type for JWTs in the Authorization header is a convention, and it helps to distinguish the type of token being used for authentication in an HTTP request.

Content-Type: Only for POST implementation

The value is ‘application/json’.

Building JWT Token

var header = {
	'typ': 'JWT',
	'alg': 'HS256'
};

var currentTimestamp = Math.floor(Date.now() / 1000)

var data = {
	'partner_id': pm.environment.get('partner.id'),
	'iat': currentTimestamp
}


function base64url(source) {
    // Encode in classical base64
    encodedSource = CryptoJS.enc.Base64.stringify(source)
    
    // Remove padding equal characters
    encodedSource = encodedSource.replace(/=+$/, '')
    
    // Replace characters according to base64url specifications
    encodedSource = encodedSource.replace(/\+/g, '-')
    encodedSource = encodedSource.replace(/\//g, '_')
    
    return encodedSource
}

// encode header
var stringifiedHeader = CryptoJS.enc.Utf8.parse(JSON.stringify(header))
var encodedHeader = base64url(stringifiedHeader)

// encode data
var stringifiedData = CryptoJS.enc.Utf8.parse(JSON.stringify(data))
var encodedData = base64url(stringifiedData)

// build token
var token = `${encodedHeader}.${encodedData}`

// sign token
var signature = CryptoJS.HmacSHA256(token, jwtSecret)
signature = base64url(signature)
var jwt = `${token}.${signature}`

Header

  • The header object contains two properties: type with the value 'JWT' (indicating it's a JWT) and alg with the value 'HS256' (indicating HMAC SHA-256 algorithm for signing).

  • The header is then converted to a JSON string.

  • The resulting JSON string is UTF-8 encoded.

  • The UTF-8 encoded header is then base64 URL encoded to produce the first part of the token.

Payload (Data)

  • The data object contains two properties: partner_id, and the current timestamp (seconds since epoch) obtained using Math.floor(Date.now() / 1000).

  • The data object is converted to a JSON string.

  • The resulting JSON string is UTF-8 encoded.

  • The UTF-8 encoded data (payload) is then base64 URL encoded to produce the second part of the token.

Building the Token

  • The token is formed by concatenating the encoded header and the encoded data (payload) with a dot separator.

Signing the Token

  • The token is used as the message input for the HMAC SHA-256 algorithm, along with a secret key (jwtSecret).

  • The HMAC SHA-256 algorithm produces a signature for the token.

  • The signature is binary data.

  • The binary signature is then base64 URL encoded to produce the third part of the token.

Constructing the Final JWT

  • The final JWT is formed by concatenating the original token, the dot separator, and the encoded signature.

The resulting JWT variable is a compact JWT that can be used for secure data exchange and authentication. The signature ensures the token's integrity and authenticity, and the recipient can verify the token using the jwtSecret key to ensure that its contents have not been tampered with during transmission.

PreviousGetting StartedNextBusiness Use Cases

Last updated