Finqware API
  • Quick start
  • Overview
    • Skills
    • Servicers
    • Tenants
    • Security model
      • Tenant-level elements
      • User-level elements
  • Dev guide
    • Intro
    • User onboarding
      • Detailed flow
    • Consuming data
      • About caching
    • Designing a tenant app
      • The back-end
      • The front-end
    • Signing API requests
      • RS256 infrastructure
      • Computing the digest
      • Signing HTTP requests
  • API
    • Sessions
    • Tokens
    • Accounts
    • Balances
    • Transactions
    • Payments
    • Consents
    • Catalogs
    • Errors
Powered by GitBook
On this page
  1. Dev guide
  2. Signing API requests

Computing the digest

Guideline for generating the message digest

The signed Authorization header includes, among other claims, a sha256 digest of the HTTP request (note: the Finqware API only uses POST application/json requests similar to a GraphQL API).

Steps

  1. take the json payload and compress it to a single-line json without any whitespaces

    • make sure you do not remove any useful whitespaces (eg: from a debtor name when submitting a payment)

    • it is recommended to use a standard json library to do that instead of your own regex

      #
# Python example
#

http_payload = {
  "client_id": "51e2389....02d51",
  "client_app_key": "MDAxNmxvY2F0aWMz...D9rgv7_DySaiYgo", 
  "skill": "bt_ro_aisp_sbx_#2.0"
}

# a compact stringified json without any whitespaces 
compact_http_payload = json.dumps(http_payload, separators=(',', ':')).encode("utf-8")

  2. compute a Base64 (not URL-safe) encoded SHA-256 hash of the compressed json format

    digest = hashlib.sha256(compact_http_payload).digest()
b64_digest = base64.b64encode(digest).decode("utf-8")

Note:

  • make sure your HTTP client sends the request with the json keys in the same order as in the payload used when computing the digest

PreviousRS256 infrastructureNextSigning HTTP requests

Last updated 3 years ago