Child pages
  • Default Signature Type
Skip to end of metadata
Go to start of metadata

Signing a Request

By default, apstrata database will use a secure signature which depends on the data sent. It involves most of the data in the request, and it is calculated using the secret authentication key.

To Create a signature:

  1. Create a standardized string of the query string to be hashed.
    1. URL encode both the parameters and their values.
      1. In case of an attachment, the value would be the URL encoded hexadecimal representation of the MD5 hash of the file bytes (all capital letters).

        MessageDigest messageDigest = MessageDigest.getInstance("MD5"); 
        FileInputStream fis = new FileInputStream(filePath); 
        byte[] bytes = new byte[4096]; 
        int readPos =; 
        while (readPos != -1) { 
              md5.update(bytes, 0, readPos); 
              readPos =; 
        String hashedValue = hexToString(messageDigest.digest()).toUpperCase();
    2. Separate the encoded parameters and their values by the equals sign.

    3. Sort the parameters and their values by natural byte ordering (as described in the below example).

    4. Append the name value pairs with an ampersand.

  2. Create the string to be hashed:

    Hashed String
    String to hash = HTTPVerb (Upper case) + "\n" + encoded Http URL + "\n" + standardized string

    The HTTP URL will include the scheme, host, port (if present), and the path. It will not include any of the query strings.

  3. Calculate the HMAC-SHA1 hash string using the secret authentication key.

Spaces and asterisk should be encoded as %20 and %2A respectively.

Host: host

Sorted Parameters

String to Hash

Assuming that the secret authentication key is “secret”
HMAC-SHA1("secret", "POST\n\nadditionalParam1=value1&")

Example (PHP)
Host: host

$paramArr = array();
array_push(rawurlencode("apsws.time") . "=" . rawurlencode("1234567890"));
array_push(rawurlencode("") . "=" . rawurlencode("myStore"));
array_push(rawurlencode("additionalParam1") . "=" . rawurlencode("value1"));


$stringToSign = "";
for($i = 0; $i <count($paramArr); $i++)
            $stringToSign .= $paramArr[$i];
            If($i <count($paramArr) - 1)
                        $stringToSign .= "&";
$stringToSign = "POST" . "\n" . rawurlencode ([authenticationkey]/CreateStore)  
. "\n" . $stringToSign;
// assuming that the secret authentication key has the value "secret"
$signature = hash_hmac("sha1",  $stringToSign, "secret");

  • No labels