LiteAPI also provides a secure method for authenticating requests without directly transmitting your private API key. Instead, you can sign your request using HMAC SHA-512 and include the signature along with a public key in the request headers. This ensures better security by preventing your private key from being exposed in transit.
Why Use Secure Authentication?
When using API keys directly, they can be intercepted in transit, stored insecurely, or inadvertently exposed in logs. Instead, using a signed request ensures:
- Enhanced Security: Your private API key never leaves your system.
- Replay Attack Prevention: Each request includes a timestamp to prevent reuse of old signatures.
- Integrity Assurance: The server verifies that the request has not been tampered with.
How It Works
Instead of sending your private API key, you generate a unique signature using your API key, a shared secret, and a timestamp. The server then verifies the signature to authenticate the request.
Steps:
- Generate a UNIX timestamp.
- Create a signature using HMAC SHA-512, combining your API key, shared secret, and timestamp.
- Include the public key, signature, and timestamp in the request headers.
- The server validates the signature and processes the request.
Example Implementation (JavaScript/Node.js)
const crypto = require("crypto");
const privateApiKey = "prod_123";
const publicApiKey = "prod_public_456";
const timestamp = Math.floor(Date.now() / 1000);
const signature = crypto.SHA512(`${privateApiKey}${publicApiKey}${timestamp}`).toString(crypto.enc.Hex);
const authHeaderValue = `PublicKey=${publicKey},Signature=${signature},Timestamp=${timestamp}`;
const headers = {
"Content-Type": "application/json",
Accept: "application/json",
Authorization: authHeaderValue
};
console.log(headers);
Example HTTP Request
GET /v1/data/hotels HTTP/1.1
Host: api.liteapi.com
Content-Type: application/json
Accept: application/json
Authorization: PublicKey=123,Signature=abcdef123456789,Timestamp=1610000000