Computing the digest

The signed Authorization header includes, among other claims, a sha256 digest of the HTTP request (note: the Finqware API only uses POST application/json requests similar to a GraphQL API).

Steps

1. take the json payload and compress it to a single-line json without any whitespaces

   • make sure you do not remove any useful whitespaces (eg: from a debtor name when submitting a payment)

   • it is recommended to use a standard json library to do that instead of your own regex

     Copy

     #
     # Python example
     #
     
     http_payload = {
       "client_id": "51e2389....02d51",
       "client_app_key": "MDAxNmxvY2F0aWMz...D9rgv7_DySaiYgo", 
       "skill": "bt_ro_aisp_sbx_#2.0"
     }
     
     # a compact stringified json without any whitespaces 
     compact_http_payload = json.dumps(http_payload, separators=(',', ':')).encode("utf-8")

2. compute a Base64 (not URL-safe) encoded SHA-256 hash of the compressed json format

   Copy

   digest = hashlib.sha256(compact_http_payload).digest()
   b64_digest = base64.b64encode(digest).decode("utf-8")

Note:

• make sure your HTTP client sends the request with the json keys in the same order as in the payload used when computing the digest