Introduction

Authentication is a crucial part of the Take a NAP API. It ensures that only authorized developers can access the API, providing an additional layer of security. When you are approved for API access, you will receive an API key and an API secret. These credentials are used to sign each request you make to the API.

Request Signing

Request signing is a standard process in the development world, and it’s essential for ensuring the integrity and authenticity of the data sent to the API. By signing the request body with a secret key, you prove that the request is coming from a trusted source and that the data has not been tampered with during transmission.

Important Security Notice: All calls to the Take a NAP API must be made from a server. The API secret is a sensitive piece of information and must never be shared with anyone. Exposing your API secret can lead to unauthorized access to your account and other serious security risks.

Here’s how you can sign your requests using different programming languages:

Example: Signing a Request (Node.js)

Here’s an example of how to sign a request using JavaScript & Node.js:

const axios = require('axios');
const crypto = require('crypto');

const apiKey = 'your-api-key';
const apiSecret = 'your-api-secret';

const request = axios.create({
  baseURL: 'https://api.takeanap.bg/public-api/resource',
  headers: {
    'x-api-key': apiKey,
  },
});

request.interceptors.request.use((config) => {
  if (config.data) {
    const signature = crypto
      .createHmac('sha256', apiSecret)
      .update(JSON.stringify(config.data))
      .digest('hex');

    config.headers['x-signature'] = signature;
  }
  return config;
});

Example: Signing a Request (Python)

Here’s an example of how to sign a request using Python:

import hmac
import hashlib
import requests

def sign_request(request):
    if request.body:
        signature = hmac.new(api_secret.encode('utf-8'), request.body, hashlib.sha256).hexdigest()
        request.headers['x-signature'] = signature
    return request

api_key = 'your-api-key'
api_secret = 'your-api-secret'
url = "https://api.takeanap.bg/public-api/resource"

session = requests.Session()
session.headers.update({'x-api-key': api_key})
session.hooks['request'].append(sign_request)

response = session.post(url, json={'data': 'value'})

Example: Signing a Request (Java)

Here’s an example of how to sign a request using Java:

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.util.Base64;

public class RequestSigningExample {
    public static void main(String[] args) {
        String apiKey = "your-api-key";
        String apiSecret = "your-api-secret";
        String requestBody = "{\"data\":\"example\"}";

        try {
            Mac sha256Hmac = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(apiSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
            sha256Hmac.init(secretKey);

            byte[] hash = sha256Hmac.doFinal(requestBody.getBytes(StandardCharsets.UTF_8));
            String signature = Base64.getEncoder().encodeToString(hash);

            // Add the "x-api-key" and "x-signature" headers to your request
            System.out.println("x-api-key: " + apiKey);
            System.out.println("x-signature: " + signature);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Ruby Example

Here’s an example of how to sign a request using Ruby:

require 'openssl'
require 'base64'

api_key = 'your-api-key'
api_secret = 'your-api-secret'
request_body = '{"data":"example"}'

signature = OpenSSL::HMAC.hexdigest('sha256', api_secret, request_body)

# Add the "x-api-key" and "x-signature" headers to your request
puts "x-api-key: #{api_key}"
puts "x-signature: #{signature}"

Go Example

Here’s an example of how to sign a request using Go:

package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
)

func main() {
	apiKey := "your-api-key"
	apiSecret := "your-api-secret"
	requestBody := []byte(`{"data":"example"}`)

	h := hmac.New(sha256.New, []byte(apiSecret))
	h.Write(requestBody)
	signature := hex.EncodeToString(h.Sum(nil))

	// Add the "x-api-key" and "x-signature" headers to your request
	fmt.Println("x-api-key:", apiKey)
	fmt.Println("x-signature:", signature)
}

Why Signing is Important

Signing the request is a critical security measure that prevents unauthorized access and ensures data integrity. By requiring a signature, the API can verify that the request is coming from an authorized source and that the content has not been altered in transit. This process helps in:

  • Authentication: Confirming the identity of the requester.
  • Integrity: Ensuring that the data has not been tampered with.
  • Non-Repudiation: Providing proof of the origin of the data.

Requesting Credentials

To obtain your API key and API secret, you can request them at [email protected]. Once approved, you will receive the credentials needed to authenticate your requests with the Take a NAP API.

Conclusion

Proper authentication is vital for securing your interactions with the Take a NAP API. By following the guidelines and examples provided in this document, you can ensure that your requests are authenticated and secure.