For your company, you’ll be given a unique Api ID and Api Key. The admin user can generate and reset API ID and Key on the Settings >> API Settings.
Keep your Api ID and Api Key secret. They should be guarded just as you would your regular account password. If you feel your ID and Key has been compromised, you can reset it by deleting and re creating a new ID and Key.
For every API request you make, you’ll need to include ApiID, timestamp and signature as request parameters.
Signature is in Base64 format and is calculated using your ApiKey with HMAC-SHA-256, based on the ApiID+timestamp+RequestJSON.
You can check if your signing is correct from API settings. “SigningStatus” column can have value “OK” or “Insecure: ” with UTC date when last incorrectly signed API request occured. Incorrectly signed API payloads will be rejected since 2020-03-01.
IMPORTANT: HMAC-SHA-256 should be encoded to Base64 from raw data. Here you can see example, what’s the difference: https://stackoverflow.com/questions/32188149/difference-between-cryptojs-enc-base64-stringify-and-normal-base64-encryption