SymetryML REST API Security
Last updated
Last updated
The SymetryML REST API allows you to authenticate your requests. The API’s authentication is based on a "message-authentication code" signature created using specific parts of the REST API HTTP request.
Message authentication code (MAC) provides a way to verify the integrity of information sent in a REST request based on a secret key known only to the request sender and receiver. Because only two parties know the secret key, validating the MAC signature also authenticates the corresponding REST request. For this reason, each SymetryML API account has a secret key associated with its SymetryML key ID that is used to create a MAC signature for each REST request. The SymetryML server uses this secret key to verify signatures and authenticate all requests.
The SymetryML REST API uses the HTTP Authorization header to pass authentication information to the server. The header contains the information in the following table.
The most common MAC algorithms are Hash-based Message Authentication Code-Message Data 5 (HMAC-MD5) and HMAC-SHA2. The algorithm used in the SymetryML REST API is HMAC-SHA2, as specified in RFC 4868. For examples of how to sign your REST request, see .
Authorization
Signature
Signature
Base64( HMAC-SHA2(UTF-8-Encoding-Of( StringToSign ) ) );
StringToSign
HTTP-Verb + "\n" Content-MD5 + "\n" SymetryML-Secret-Key + "\n" Sym-Date Header + "\n" SymetryML-customer-Id + "\n" RequestBody + "\n" CanonicalizedResource + "\n" URLQueryParameters + "\n";
Sym-Date format
CanonicalizedResource
<HTTP-Request-URI, from the protocol name up to the query string>
URLQueryParameters
Any URL query parameters used in the REST request. If no query parameters are present, do not add null or a new line "\n".
RequestBody
JSON request body. If there is no request body, omit this along with the newline ("\n") that follows it.
sym-client
Each SymetryML REST request must contain a SymetryML Date header. The content of this header is a date and time based on the Universal Coordinated Time/Greenwich Mean Time (UTC/GMT) time zone. This header is called sym-date.
The SymetryML Date header must:
Follow this syntax:
For example:
Before 5 minutes of the server time.
Not be more than 1 minute ahead of the server time.
If an authentication error occurs, the server returns a 401 (UNAUTHORIZED) response. The response contains a stringToSign entity that describes the string that the server was trying to validate when the error occurred. You can use this string to troubleshoot the request and identify the validation issue.
Note
The server omits the secret key from the response and outputs SECRETKEY in stringToSign.
The following shows an example of an unauthorized response. .
To help you identify and resolve authentication issues quickly, the SymetryML REST API supports a variety of error codes. The following table describes the supported error codes.
Error Code
HTTP Code
Description
Md5 do not match
400
MD5 of the request body is invalid.
Invalid User
401
Server does not know this user.
Invalid Signature
401
Authentication header signature is invalid.
Authentication header is null
400
Authentication header is missing from the request.
sym-date header is null
400
SymetryML date header is missing from the request.
Please update your server time, it is likely out of sync with UTC
400
Date in the request is more than 5 minutes before the server time or more than 1 minute after it. Check the time configuration on your client.
Invalid Date Format
400
Please note that Every REST request that is made starts with the following canonical URL:
where:
{cid} is the customer ID.
HTTP VERB is a valid HTTP verb such as GET, PUT, POST, or DELETE.
See the section covering .
This parameter is not mandatory and not used in computing the string to sign, but is used when compiling logging statistics about the data source and streaming API. For more details please consult the section.
Format of the SymetryML date header is invalid. See the section for information about the appropriate format to use.