1.3.10
OAS 3.1.0

Lastmily External API documentation

External API auth

API credentials

In order to send an authenticated request on our API, first, you must acquire your $client_id & $client_secret

Create the signature

Firstly, you have to acquire yous $client_id.

Then you must acquire the current timestamp $current_timestamp in unix epoch format (this has to be sent on the headers also and must be exactly the same value).

If the request has body you have to base64_encoded it into the $rawRequestBody

Finally, concatenate those elements as $client_id + $current_timestamp [ + $rawRequestBody ] into the $stringToBeHashed variable.

After that you must hash_hmac with sha256 the $stringToBeHashed given your $client_secret as the hash key

How to send the request

Request must have the following headers *

  • Content-Type: application/json
  • Authorization: Bearer $client_id
  • x-time: $current_timestamp
  • x-sign: $currentSign
  • Finally, when applicable, add the body as json

Example in PHP

<?php
# Help vars
$client_id = 'CLIENT_ID';
$client_secret = 'CLIENT_SECRET';
$current_timestamp = '1638355463';

// For the request body, if not `empty()` do the following
// when empty, do append nothing
$rawRequestBody = { 'id' => 4 }; //=> base64_encode($rawRequestBody) => RAW_BODY_BASE64_ENCODED


// Concatenation of parts
$stringToBeHashed = $client_id . $current_timestamp ;
// if body exist append it(for POST or PUT etc. append it like the example below)
$stringToBeHashed .=  base64_encode($rawRequestBody);


$x_sign= hash_hmac('sha256', $stringToBeHashed, $client_secret);

// Example concatenated string:
//$stringToBeHashed = 'CLIENT_ID1638355463RAW_BODY_BASE64_ENCODED'; // => when body
//$stringToBeHashed = 'CLIENT_ID1638355463'; // => when no body

Example in JS (POSTMAN)

let moment = require('moment');
var timestamp =  moment().unix();
//timestamp =1670416987

pm.environment.set('client_id','');
pm.environment.set('client_secret', '');


var bdenc= CryptoJS.enc.Utf8.parse(pm.request.body.raw);

var bdencStr= ''

if (pm.request.body.raw){
    var bdenc= CryptoJS.enc.Utf8.parse(pm.request.body.raw);
    console.log('NOT NULL');
    bdencStr= CryptoJS.enc.Base64.stringify(bdenc);
}


var stringToBeHashed=(pm.environment.get('client_id')+timestamp+bdencStr);

var sha256 = CryptoJS.HmacSHA256(stringToBeHashed, pm.environment.get('client_secret')).toString(CryptoJS.enc.Hex);

console.log("timestamp: "+timestamp);
console.log("rawRequestBody___: " + bdencStr);
console.log("stringToBeHashed__: "+stringToBeHashed);
console.log("hash_hmac___: "+ sha256);

pm.environment.set('current_sign', sha256);

pm.request.headers.add({
  key: 'x-time',
  value: timestamp
});

pm.request.headers.add({
  key: 'x-sign',
  value:  pm.environment.get('current_sign')
});

Example in .NET

public static (string, string) Get_x_time_x_sign() {

    //unix epoch timestamp
    string x_time = DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString();

    //string to be hashed
    string string_to_be_hashed = string.Concat(client_id, x_time);

    //use client secret as key
    var keyByte = encoding.GetBytes(client_secret);

    using (var hmacsha256 = new HMACSHA256(keyByte)) {

        hmacsha256.ComputeHash(encoding.GetBytes(string_to_be_hashed));

        byte[ ] bytes = hmacsha256.Hash;

        //convert to string hex format
        string x_sign = "";

        for (int i = 0; i < bytes.Length; i++)
            x_sign += bytes[ i ].ToString("X2");

        return (x_time, x_sign.ToLower());
    }

}

Example in Python

def get_headers(payload=None):
    current_timestamp = str(int(time.time()))
    client_id = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    client_secret = 'priv_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
    string_to_be_hashed = client_id + current_timestamp
    if payload:
        base64_payload = base64.b64encode(json.dumps(payload).encode()).decode()
        string_to_be_hashed += base64_payload
    signature = hmac.new(client_secret.encode(), msg=string_to_be_hashed.encode(), digestmod=hashlib.sha256)
    headers = {
        'Content-Type': 'application/json',
        'Authorization': f'Bearer {client_id}',
        'x-time': current_timestamp,
        'x-sign': signature.hexdigest()
    }
    return headers

Lastmily Production Host

Client Libraries

Models