Client application authentication
This page provides detailed instructions on how to authenticate your app to make hoshinplan.com API calls.
Every API request has to be authenticated to ensure the user has access to the recuested resource. Client application authentication is done by adding some parameters to the call URL.
If you tried a request without authentication like this:
GET /companies HTTP/1.1 Host: www.hoshinplan.com
The server response would be something like:
HTTP/1.1 401 Unauthorized Content-Type: application/json; charset=utf-8
For our operations to work you have to provide the following parameters:
- The client application key generated when creating the client application.
- The current date and time in ISO 8601 format at the moment of the API call.
- The hash-based message authentication code (MAC) for this request using HMAC-SHA256 algorithm. To compute the value for this parameter the whole request string before adding the signature parameter has to be used. For the previuous example could be:
This is the value that has to be used to calculate the MAC using the secret generated when creating the client application.
For example to generate the signature you could use the following Ruby code:
Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha256'), secret, data)).strip()
For this code to work you have to require openssl and base64 in your class:
require 'openssl' require 'base64'
Be sure to URL encode the parameter values. Adding the above parameters, the call from the example would end up being (we have added line breaks between parameters to improve readability but they should not be included):
GET /companies? app_key=bb39caab63c3dd6524bcaa61ec4f3b4c& timestamp=2014-01-11T23%3A55%3A46%2B01%3A00& signature=x7/8VfSlr0DlSJ+N4xBEaL1+IwtmeunasI+hYtiDjd8= HTTP/1.1 Host: www.hoshinplan.com
And now the call would succeed.