HMAC-based API authentication is a method of securing APIs by using a combination of a secret key and a cryptographic hash function known as HMAC (Hash-based Message Authentication Code).
The parameters used for calculating the HMAC signature typically include the request payload, a timestamp and the public key (or key identifier), but they can vary depending on the API specification, which may include additional parameters, such as the HTTP method, path or a nonce.
This repository shows how to generate an HMAC signature to authenticate proxied requests against an API endpoint, by running custom code in a Proxy Request Transform.
Follow the steps below to create a new Proxy:
-
Create a new Management Application with full
applicationandproxypermissions. -
Paste the API key to a new
terraform.tfvarsfile at this repository root:# Basis Theory Management Application Key management_api_key = "key_W8wA8CmcbwXxJsomxeWHVy" # Destination API keys destination_public_key = "2P6GBSQ8ZTZLP3MZ98SZ" destination_private_key = "aGMarItuqNYd7P+F232oLvfYHnTObbun91Y0l6/aZ28="
-
Initialize Terraform:
terraform init
-
Run Terraform to provision all the required resources:
terraform apply
Using the outputs from Terraform, you can make a request to the Proxy:
curl -L 'https://api.basistheory.com/proxy?bt-proxy-key={hmac_proxy_key}' \
-H 'BT-API-KEY: {backend_application_key}' \
-H 'Content-Type: application/json' \
-d '{}'
⚠️ Make sure to replace the keys above with the appropriated values.