Skip to main content

HMAC-SHA256

The service-provider can additionally provide BOG with a secret key for hashing, which will be used for hashing the request body for HTTP POST & PATCH requests, or in the case of HTTP GET, PUT & DELETE requests – for hashing the query. If the aforementioned parameter is provided, the service provider must accept the Hash header and verify it.

The HMAC-SHA256 algorithm will be used for hashing, where HMAC-SHA256 refers to the Hash-based Message Authentication Code (Krawczyk, Bellare, Canetti, 1997) encryption method in conjunction with a secret key and a cryptographic function – SHA256 (Eastlake, E. Huawei, Hansen, 2011). Additionally, the hash code will only contain capital letters and digits, in hexadecimal format.

Hashrequired<HASH>

HASH is the HTTP Request Body or the Query passed through the hashing algorithm.

E.g. if given the secret key:
8bbe50a7d61af79211148c09e40e1bffaefdf319dce665bc5a31b55ec28a508b
And if the HTTP GET request is of the form:
http://serviceprovider:8088/api/mock/get-categories?personalNumber=01234567890&birthDate=11.01.2002
Then the value to hash (i.e. the query, since it’s a GET request) will be:
personalNumber=01234567890&birthDate=11.01.2002
Which will result in the following hash code: 841A782048F51A798331E4A534A240911D541B869CB0E2CF1BB58F086873C079