Solutions
By Need
JavaScript Protection
Magecart Mitigation
Mobile App Protection
Data Leakage Prevention
Third Party Control
Customer Hijacking Prevention
User Data Protection & Compliance
By Sector
Financial Services
IT & Software
E-Commerce
Healthcare
Media & OTT
Gaming & Gambling
Products
Code Integrity
Application Shielding
Runtime Protection
JavaScript Threat Monitoring
Webpage Integrity
Webpage Inventory
Third Party Management
User Data Management
Webpage Threat Mitigation
Resources
Partners
Docs
Blog
Learning Hub
Help Center > Code Integrity > Documentation > API > API Authentication

API Authentication

HTTP requests made to the server need to be authenticated. To do so you need an access_key to identify you as the requester and a secret_key to sign the request. You can find these keys on your Profile.

Any HTTP request (POST or GET) must contain your access_key, a timestamp parameter with the time of the request (ISO 8601 format) and the HMAC signature of the message's content. This signature allows us to authenticate your HTTP request and verify the data integrity of your message.

How to Sign Your HTTP Request

To sign your HTTP request you need to produce an HMAC signature of its contents. You can find an example of how to do this using JavaScript in our Node.js CLI.

The hmac_signature_data is constructed by concatenating the following information separated by semicolons:

  1. Uppercase HTTP request method (e.g., POST, GET, DELETE)
  2. Lowercase API Hostname (i.e., api4.jscrambler.com)
  3. The resource path (e.g., /application or /application/download/<PROTECTION_ID>)
  4. The URL encoded request parameters (url_query_string) which includes the access_key and the timestamp 
<REQUEST_METHOD>;<API_HOSTNAME>;<RESOURCE_PATH>;<URL_QUERY_STRING>

The following is an example of the hmac_signature_data:

GET;api4.jscrambler.com;/application;access_key=YOUR_UPPERCASE_ACCESS_KEY&timestamp=DATE

Additional parameters like the query and the variables can be sent in the request (other than the access_key and the timestamp). Including these parameters inside the url_query_string must take the following into consideration:

  • The parameters must be ordered alphabetically and the key-value pairs must be URL encoded
  • Make sure that what is encoded by your URL encode function is uppercased (e.g., ':' should look like '%3A' and not like '%3a')
  • After the URL encoding make sure to replace '%7E' by '~' , '+' by '%20' and '*' by '%2A' if that did not happen
  • The access_key and secret_key must be uppercase
  • The secret_key is used to produce the signature but it should never be included as a parameter of the HTTP request (or someone else might be able to do requests on your behalf)

Finally take the HMAC digest and encode it with MIME Base64 and add it as parameter of the HTTP request (you can find an example on how to make a request GraphQL Request Example).