Skip to content
Documentation
  • Pages
    • Identomat System Manual & Integration Guide
      • Introduction
      • Glossary
      • System
        • System Login
        • User Roles and Access Management
        • Navigation Bar Structure
        • Data Flow
        • System Modules
          • Document Reader
          • Face similarity
          • Liveness check
        • Workflows
          • Company Settings
          • Native Mobile
          • Web App
          • No Code KYC
      • Verification Checks
        • Accepting Permissions
        • Scanning the ID
        • Take or Upload a Photo
        • Verifying Liveness
        • Passive Liveness Check
        • Active Liveness Check
        • Submit information for analysis
      • Developer Guide
        • Web
        • Android
        • iOS
        • icon picker
          HMAC Authorization
        • API Reference
      • User Manuals
        • End-User Manual
        • Back-Office Manual
Documentation
/
/
HMAC Authorization
Share
Explore

HMAC Authorization

For data integrity and identity, API supports the request check by message authentication code - MAC. It uses the standard HMAC_SHA_256 algorithm to generate code. The symmetric key for hashing is obtained during the generation of the appropriate type of the company_key.
In the case of non-standard request types, the procedure for generating an authorization code is different. In standard cases, the authorization code is the base64 value of the HMAC of the request object - base64(hmac_sha_256(secret_key, request_body)). A multipart request is a non-standard request, the code of which is generated iteratively. The hashing key of each iteration is the binary value of the authorization code obtained during the previous interaction. base64(hmac_sha_256(hmac_sha_256(secret_key, part_1), part_2))). In the multipart request, it’s important to sort parts of it by type, firstly there should be placed text data, and then file type data.
The generated authorization code should be added in the request header as follows:
Authorization: signature="{code}"
Like a request, the response contains an authorization header as well - Authorization: signature="base64(hmac_sha_256(secret_key, response_body)), the authenticity of which should be checked by the caller. An unsuccessful request does not include an authorization header.
Previous:
iOS
| Next:
API Reference

Want to print your doc?
This is not the way.
Try clicking the ··· in the right corner or using a keyboard shortcut (
CtrlP
) instead.