Skip to main content


The service-provider can additionally provide BOG with a secret key for hashing, which will be used for hashing the request body for HTTP POST & PATCH requests, or in the case of HTTP GET, PUT & DELETE requests – for hashing the query. If the aforementioned parameter is provided, the service provider must accept the Hash header and verify it.

The HMAC-SHA256 algorithm will be used for hashing, where HMAC-SHA256 refers to the Hash-based Message Authentication Code (Krawczyk, Bellare, Canetti, 1997) encryption method in conjunction with a secret key and a cryptographic function – SHA256 (Eastlake, E. Huawei, Hansen, 2011). Additionally, the hash code will only contain capital letters and digits, in hexadecimal format.


HASH is the HTTP Request Body or the Query passed through the hashing algorithm.

E.g. if given the secret key:
And if the HTTP GET request is of the form:
Then the value to hash (i.e. the query, since it’s a GET request) will be:
Which will result in the following hash code: 841A782048F51A798331E4A534A240911D541B869CB0E2CF1BB58F086873C079