HMAC+SHA* or RSA+SHA* algorithms are used for request and response signing using an API key. Generated signature should be wrapped in Base64 and provided in a X-Signature HTTP header.

Signature Format

XXX.YYY

where XXX is a Base64-encoded header and YYY is a Base64-encoded content signature.

The header is a JSON packet that contains information required for proper signature generation:

Header

{
"alg": "HS512", // encryption algorithm. One of HS256,HS384,HS512,RS256,RS384,RS512
"key": "OTgxMzI0NjY5OTEyMzQ4", // key id that was used to generate signature
"timestamp": 1540905923 // time of the signature generation in Unix Epoch format
}

The signature generation algorithm for symmetric encryption (using shared key):

Header

StringToSign =
request.method + // HTTP method from the request GET|POST|PUT|PATCH|DELETE etc
request.path + // path part of the request
request.queryString + // query string of the request
request.timestamp.toString() + // string representation of header.timestamp
Base64Encode(Base64Encode(SHA(removeEscapeSequenceAndWhitespace(request.payload)))), // Base64-encoded SHA hash of whitespace-cleaned request.payload
EscapeSequenceAndWhitespace refer to any of this characters
private static final Set REPLACEMENTS = new HashSet<>(Arrays.asList(
'\n', /* \u000a: linefeed LF */
'\r', /* \u000d: carriage return CR */
'\b', /* \u0008: backspace BS */
'\f', /* \u000c: form feed FF */
'\t', /* \u0009: horizontal tab HT */
' '
));

HMAC

Security Scheme Type API Key
Header parameter name: X-Signature

Session

Security Scheme Type API Key
Header parameter name: X-Auth-Token