• Descriptions
  • Getting started with OT API
  • Calculation of paid OT API calls
  • Incomplete information of items
  • Signing OT API requests
  • Sessions in OT API

• Methods
  • All
  • Background activity
  • Brand
  • Brand - Administration
  • Business data exporting
  • Category
  • Category - Administration
  • Changes logging
  • Content
  • Content - Administration
  • Currency
  • Currency - Administration
  • Delivery
  • Delivery - administration
  • Direct payments - Administration
  • Discounts - Administration
  • Elements collection
  • Elements collection - Administration
  • File storage
  • Instance keys information
  • Item
  • Item - Administration
  • Localization - Administration
  • Messages
  • Operator
  • Operator - Rights
  • Orders - Administration
  • Order - Other
  • Order - User
  • Other
  • Other - Taobao
  • Provider orders - Administration
  • Payment
  • Price formation - Administration
  • Providers information
  • Provider orders integration
  • Reports
  • Reviews
  • Reviews - Administration
  • Export of rating lists
  • Settings
  • Statistics - Administration
  • User
  • Users account
  • Users account - Administration
  • User - Administration
  • User collections
  • User collections- Administration
  • Vendor
  • Vendor - Administration
  • Warehouse - Administration
  • Yandex Market integration

Signing OT API requests

Description

OTAPI keys don't have a secret part by default and don't require sign requests using it. Parameters signature and timestamp don't need to send in this case.
You need to implement the signature algorithm described below if you want to protect your key. Then contact our support team or your chat with a request to give you the secret part of the key. Any unsigned requests with uour key will stop working after that.

To make a request signatures add two new parameters signature and timestamp to its parameters.
For example, signature=305330c8b160062a90c9449cd146f4fb79a458d0fe3f04b55908edab5c65f1a5&timestamp=20210212114345
Value for request signatures is SHA256 hash from the line "{methodName}{concatenationOfAllPassedParametersValues}{secretForSignature}"
Concatenation of values should be obtained before URL-encoding from sorted parameters by name.
Value for timestamp is the call date and time in UTC+0 in "yyyyMMddHHmmss" format ("yyyy" year, "MM" month, "dd" day, "HH" hours, "mm" minutes, "ss" seconds).
For timestamp parameter values, a difference between the client and the server time not exceeding an hour is allowed.

Example

Let's take GetCategoryInfo method as an example. This method has 3 main parameters: instanceKey, language and categoryId.
After adding signature parameters, the request will be as follows:
http://otapi.net/service/GetCategoryInfo?instanceKey=INSTANCEKEY&language=ru&categoryId=0&signature=305330c8b160062a90c9449cd146f4fb79a458d0fe3f04b55908edab5c65f1a5&timestamp=20210212114345

Sorting parameters by name gives the following order:
categoryId=0
instanceKey=INSTANCEKEY
language=ru
timestamp=20210212114345

By adding their values in a sorted order we get a line "0INSTANCEKEYru20210212114345". Add method name to the beginning of the line and secret at the end of the line ( let "123123" ) and get: "GetCategoryInfo0INSTANCEKEYru20210212114345123123". Then hash the line with SHA256 and get "305330c8b160062a90c9449cd146f4fb79a458d0fe3f04b55908edab5c65f1a5". This hash is passed to signature parameter.

Errors

AccessDenied / MissingTimestamp: Timestamp is missing
AccessDenied / MissingSignature: Signature is missing
AccessDenied / InvalidTimestamp: Invalid timestamp
AccessDenied / InvalidSignature: Invalid signature