Authentication - Bearer Token

Authentication

An authenticate header must be included in all API calls to authorize the caller.  The authenticate header uses a public and private key along with some other unique values to authenticate at a system level. The authenticate header does not secure the message content so the use of transport layer security (SSL) is strictly enforced.

Authenticate Header Format

 

Below is the format of the Authenticate header that shows the various parameters within the signature.

Authenticate: Bearer timestamp="{timestamp}",nonce="{nonce}",signature="{signature}",publickey=”{publicKey}” 

Authenticate Header Parameters

  1. timestamp (int): Number of seconds passed since January 1, 1970 UTC. 
  2. nonce (string): Randomly generated string with length 50. 
  3. signature (string): String with hexadecimal digits generated by the HMAC algorithm. 
  4. publicKey (string): String provided by Rollick for the purposes of authentication.


To generate an Authenticate header: 

  1. Generate a nonce as a randomly generated string with a length of exactly 50. Requests with the same nonce in the same hour will be rejected so this needs to be unique.
  2. Concatenate the timestamp, nonce, and provided publicKey values. 
  3. Create the signature by encoding the concatenated result using the HMAC algorithm using the privateKey supplied by Rollick as the key and SHA256 digest. 
  4. Fill in the values for timestamp, nonce, signature, and publicKey in the Authenticate header.

Example Authenticate Header

Authenticate: Bearer timestamp="1621635868",nonce="jH241XBpjCQONmbKkxRbVqo5QdlBoFAMbDCZY6IirOW1tlctEq",signature="18186378620e531fc07223d6dc107eb370907964a0b2a5deb22e6f98012cd279",publickey="A776DBCF-0641-4DE7-92DC-17F31F3FEA3E"