Authentication

Mobee uses API Key, Signature and Timestamp to authenticate all API calls.

Every API request must contain the following headers:

• X-API-Key - The API Key created from Mobee Mobile App.
• X-Request-Signature - The signature generated for the request.
• X-Request-Timestamp - The unix timestamp when request is send.

Request Signature

The X-Request-Signature header for each request is generated as the following steps:

1. Construct a json string with following format
   • For request with method GET
     format: {method}\n{path}\n{timestamp}
     example: GET\n/v1/foo/bar\n1695286018
   • For request with method POST
     format: {method}\n{path}\n{timestamp}\n{body}
     example: POST\n/v1/foo/bar\n1695286018\n{"side":"buy"}
   • For request with method PUT
     format: {method}\n{path}\n{timestamp}\n{body}
     example: PUT\n/v1/foo/bar\n1695286018\n{"name":"baz"}
2. Use HMAC SHA256 to sign the string with the API secret
3. Encode the signature in the Base64 string.

Request Timestamp

The X-Request-Timestamp header for each request is same as the timestamp in the request signature

Postman Pre-Request Script

const apiKey = "api-key"
const apiSecret = "api-secret"

const timestamp = Math.floor(Date.now() / 1000)
let strToSign = pm.request.method
    + '\n' + pm.request.url.getPath()
    + '\n' + timestamp

if (pm.request.method == "POST" || pm.request.method == "PUT") {
    strToSign += '\n' + pm.request.body.raw
}

const signBytes = CryptoJS.HmacSHA256(strToSign, apiSecret);
const signBase64 = CryptoJS.enc.Base64.stringify(signBytes);

pm.request.headers.add({
    key: "X-API-Key",
    value: apiKey
});

pm.request.headers.add({
    key: "X-Request-Signature",
    value: signBase64
});

pm.request.headers.add({
    key: "X-Request-Timestamp",
    value: timestamp
});