For data integrity and identity, API supports the request check by message authentication code - MAC. It uses the standard HMAC_SHA_256 algorithm to generate code. The symmetric key for hashing is obtained during the generation of the appropriate type of the company_key.
In the case of non-standard request types, the procedure for generating an authorization code is different. In standard cases, the authorization code is the base64 value of the HMAC of the request object - base64(hmac_sha_256(secret_key, request_body)). A multipart request is a non-standard request, the code of which is generated iteratively. The hashing key of each iteration is the binary value of the authorization code obtained during the previous interaction. base64(hmac_sha_256(hmac_sha_256(secret_key, part_1), part_2))). In the multipart request, it’s important to sort parts of it by type, firstly there should be placed text data, and then file type data.
The generated authorization code should be added in the request header as follows:
Authorization: signature="{code}"
Like a request, the response contains an authorization header as well - Authorization: signature="base64(hmac_sha_256(secret_key, response_body)), the authenticity of which should be checked by the caller. An unsuccessful request does not include an authorization header.
HMAC Authorization