Signature Generation
The signature ensures request authenticity and prevents tampering. Every request must include a valid signature in the X-B1LINK-Signature header.
Algorithm
- Algorithm: HMAC-SHA256
- Encoding: Base64
- Secret Key: Your stored API key
Step-by-Step Process
-
Serialize the request body to JSON
- Use the exact format:
{"Id":"<guid>","ErpVendorNumber":"<vendor-number>"} - Ensure no extra whitespace or formatting differences
- Properties must be in order:
Idfirst, thenErpVendorNumber
- Use the exact format:
-
Compute HMAC-SHA256 hash
- Use your stored API key as the secret key
- Use the JSON string (UTF-8 encoded) as the message
- Compute HMAC-SHA256 hash
-
Base64 encode the hash
- Encode the binary hash result to Base64 string
-
Include in header
- Set the
X-B1LINK-Signatureheader to the Base64-encoded hash
- Set the
Common Pitfalls
❌ DO NOT:
- Add extra whitespace to the JSON
- Change property order in JSON
- Use pretty-printed JSON (with indentation)
- Include the signature in the JSON body (it goes in the header)
- Use a different encoding than UTF-8
✅ DO:
- Use compact JSON (no extra spaces)
- Maintain property order:
Id, thenErpVendorNumber - Use UTF-8 encoding for the JSON string
- Base64 encode the HMAC result
Example Signature Generation
Given:
- API Key:
dGVzdF9hcGlfa2V5X2V4YW1wbGU= - Request Body:
{"Id":"550e8400-e29b-41d4-a716-446655440000","ErpVendorNumber":"VENDOR-12345"}
The signature would be computed as:
- JSON string:
{"Id":"550e8400-e29b-41d4-a716-446655440000","ErpVendorNumber":"VENDOR-12345"} - HMAC-SHA256(JSON, API Key) → binary hash
- Base64(binary hash) →
X-B1LINK-Signatureheader value
Next Steps
- Request Examples - See complete working examples with signatures
- Code Examples - Implementation examples in multiple languages