Signing OT API requests


OTAPI keys don't have a secret part by default and don't require sign requests using it. Parameters signature and timestamp don't need to send in this case.
You need to implement the signature algorithm described below if you want to protect your key. Then contact our support team or your chat with a request to give you the secret part of the key. Any unsigned requests with uour key will stop working after that.

To make a request signatures add two new parameters signature and timestamp to its parameters.
For example, signature=305330c8b160062a90c9449cd146f4fb79a458d0fe3f04b55908edab5c65f1a5&timestamp=20210212114345
Value for request signatures is SHA256 hash from the line "{methodName}{concatenationOfAllPassedParametersValues}{secretForSignature}"
Concatenation of values should be obtained before URL-encoding from sorted parameters by name.
Value for timestamp is the call date and time in UTC+0 in "yyyyMMddHHmmss" format ("yyyy" year, "MM" month, "dd" day, "HH" hours, "mm" minutes, "ss" seconds).
For timestamp parameter values, a difference between the client and the server time not exceeding an hour is allowed.


Let's take GetCategoryInfo method as an example. This method has 3 main parameters: instanceKey, language and categoryId.
After adding signature parameters, the request will be as follows:

Sorting parameters by name gives the following order:

By adding their values in a sorted order we get a line "0INSTANCEKEYru20210212114345". Add method name to the beginning of the line and secret at the end of the line ( let "123123" ) and get: "GetCategoryInfo0INSTANCEKEYru20210212114345123123". Then hash the line with SHA256 and get "305330c8b160062a90c9449cd146f4fb79a458d0fe3f04b55908edab5c65f1a5". This hash is passed to signature parameter.


AccessDenied / MissingTimestamp: Timestamp is missing
AccessDenied / MissingSignature: Signature is missing
AccessDenied / InvalidTimestamp: Invalid timestamp
AccessDenied / InvalidSignature: Invalid signature