Mobee uses an API Key, Signature, and Timestamp to authenticate all API calls.
Every API request must include the following headers:
X-API-Key— the API Key created from the Mobee Mobile App.X-Request-Signature— the signature generated for the request.X-Request-Timestamp— the Unix timestamp (in seconds) at the time the request is sent.
Request Signature
The X-Request-Signature header for each request is generated as the following steps:
- Construct a json string with following format
- For request with method GET
format:{method}\n{path}\n{timestamp}
example:GET\n/v1/foo/bar\n1695286018 - For request with method POST
format:{method}\n{path}\n{timestamp}\n{body}
example:POST\n/v1/foo/bar\n1695286018\n{"side":"buy"} - For request with method PUT
format:{method}\n{path}\n{timestamp}\n{body}
example:PUT\n/v1/foo/bar\n1695286018\n{"name":"baz"}
- For request with method GET
- Use HMAC SHA256 to sign the string with the API secret
- Encode the signature in the Base64 string.
Request Timestamp
The X-Request-Timestamp header must match the timestamp used when generating the signature.
The server rejects requests with the TIMESTAMP_OUT_OF_TOLERANCE error when the timestamp drifts too far from server time, which usually means the client clock is out of sync.
Postman Pre-Request Script
const apiKey = "api-key"
const apiSecret = "api-secret"
const timestamp = Math.floor(Date.now() / 1000)
let strToSign = pm.request.method
+ '\n' + pm.request.url.getPath()
+ '\n' + timestamp
if (pm.request.method == "POST" || pm.request.method == "PUT") {
strToSign += '\n' + pm.request.body.raw
}
const signBytes = CryptoJS.HmacSHA256(strToSign, apiSecret);
const signBase64 = CryptoJS.enc.Base64.stringify(signBytes);
pm.request.headers.add({
key: "X-API-Key",
value: apiKey
});
pm.request.headers.add({
key: "X-Request-Signature",
value: signBase64
});
pm.request.headers.add({
key: "X-Request-Timestamp",
value: timestamp
});