HMAC Authentication
Login

HMAC Authentication

Example Usage

The following are examples on how to collect data from the API endpoints using different languages. The token information (name, secret and identifier) gets provided when you create a webhook through the API. Alternatively, contact us on hello@credfin.io and we can create them for you and provide integration assistance. This information is then called when you receive the event application.completed.

Python

1def get_bundle(self, application_id):
2    token = {
3    "name": "webhook-name",
4    "secret": "webhook-secret",
5    "identifier": "webhook-identifier"
6    }
7
8    method      = 'GET'
9    body        = ''
10    root_url    = 'https://credfin.io'
11    path        = '/api/applications/{}/bundle'.format(application_id)
12    timestamp   = datetime.datetime.utcnow().strftime(
13        "%a, %d %b %Y %H:%M:%S GMT")
14    contentType = 'application/json'
15
16    hash = hashlib.md5(body.encode())
17    contentMD5 = b64encode(hash.digest()).decode('utf-8')
18    message_parts = [method, contentMD5, contentType, timestamp, path]
19    message = '\n'.join(message_parts)
20
21    signature = hmac.new(bytes(token['secret'], 'latin-1'),
22                bytes(message, 'latin-1'), digestmod=hashlib.sha256)
23    hmac_base64 = b64encode(signature.digest()).decode('utf-8')
24
25    headers = {
26        'Date': timestamp,
27        'Content-MD5': contentMD5,
28        'Content-Type': contentType,
29        'Authorization': 'HMAC {}:{}'.format(token['identifier'], hmac_base64)
30    }
31
32    request = requests.Request(
33        'GET', '{}{}'.format(root_url, path),
34        data=body, headers=headers)
35    prepped = request.prepare()
36    prepped.headers = headers
37
38    with requests.Session() as session:
39        response = session.send(prepped)
40
41    if response.status_code != 200:
42        print("Bad status code: {}".format(response.status_code))
43        print("Bad status: {}".format(response.text))
44        print(root_url, path)
45        raise()
46
47    print('Retrieved bundle')
48    bundle = response.json()
49    return bundle

Javascript

1async function getFromAPI(path) {
2  const token = {
3    name: 'xxxx',
4    secret: 'xxxx',
5    identifier: 'xxxx',
6  };
7
8  const method = 'GET';
9  const body = '';
10
11  const root = 'https://credfin.io';
12  const timestamp = new Date().toUTCString();
13  const contentType = 'application/json';
14
15  const hash = crypto.createHash('md5');
16  hash.update(body);
17  const contentMD5 = hash.digest('base64');
18
19  const messageParts = [method, contentMD5, contentType, timestamp, path];
20  const message = messageParts.join('\n');
21
22  const hmac = crypto.createHmac('sha256', token.secret);
23  hmac.update(message);
24  const hmacBase64 = hmac.digest('base64');
25
26  const headers = {
27    Date: timestamp,
28    'Content-MD5': contentMD5,
29    'Content-Type': contentType,
30    Authorization: `HMAC ${token.identifier}:${hmacBase64}`,
31  };
32
33  const response = await fetch(root + path, {
34    method,
35    headers,
36    body: body == '' ? null : body,
37  });
38
39  if (!response.ok) {
40    throw new Error(await response.text());
41  }
42
43  return response;
44}

PHP

1public function rawApiCall($identifier, $secret, $method, $path, $body = '')
2{
3    $now = now();
4    $token = [
5        'secret' => $secret,
6        'identifier' => $identifier,
7    ];
8    $root = 'https://credfin.io';
9
10    $timestamp = $now->format('D, d M Y H:i:s')
11    $contentType = 'application/json';
12    $hash = md5($body, true);
13    $contentMD5 = base64_encode($hash);
14    $messageParts = [
15        $method,
16        $contentMD5,
17        $contentType,
18        $timestamp,
19        $path,
20    ];
21    $message = implode("\n", $messageParts);
22    $hash = hash_hmac('sha256', $message, $token['secret'], true);
23    $hmacBase64 = base64_encode($hash);
24    $headers = [
25        'Date' => $timestamp,
26        'Content-MD5' => $contentMD5,
27        'Content-Type' => $contentType,
28        'Authorization' => 'HMAC '.$token['identifier'].':'.$hmacBase64,
29    ];
30    $response = $this->client->request($method, $root.$path, [
31        'verify' => false,
32        'body' => $body ? $body : null,
33        'headers' => $headers,
34        'timeout' => 15
35    ])->getBody()->getContents();
36    $bytes = strlen($body);
37    $secondsToRun = $now->diffInSeconds(now());
38    return $response;
39}
Subscribe to our newsletters

Subscribe to our newsletter and stay up to date with the latest news about Credfin.

FDATA