2.5 Authentication
Request signature
Authenticated requests must include a X-YC-Timestamp
header with the current timestamp in ISO8601 format and an Authorization
header in the YcHmacV1
scheme, Scheme {apikey}:{signature}
, where the scheme is YcHmacV1
, apikey
is the api key in use and signature
is a signed message using the secret key associatied with the api key in use.
Example Authorization
header, YcHmacV1 aenifaieubgpa:fakno+9epoa/obe=
.
The message to sign is a concatenation of:
-
The current datetime in ISO8601 format
-
The request path(only path data, excluding host), e.g
/business/payments/accept
-
The request method in caps, e.g POST
-
For POST and PUT requests a base64 encoded sha256 hash of the request body
Example message to sign,
2022-01-11T15:48:37.424Z/paymentPOSTuisbibf/sadf+==
.
IP address whitelist
In production environment, you're required to share with us your production server static IP address for whitelist as we authorize requests from whitelisted IP addresses in production. We support whitelist of IP range for both IPv4 and IPv6 addresses.
Updated 1 day ago