Using Sec Key (Legacy)

The Sec Key security implementation has been deprecated. We still support authentication via Sec Key but we strongly suggest migrating to the streamlined Signature authentication approach.

If you use one of the SDKs, there is no reason to use the code in the following section as the sec_key can be generated by calling the generate_sec_key function.


api_key - Half of a secret RSA key pair. Used to create signature token (sec_key).

sec_key - Token that combines your partner ID and a timestamp and is encrypted with the api_key.

API Key for Sec Key (Legacy)

To generate your Sec Key, you will need the API Key for Sec Key (Legacy)

Your api key is a Base64 encoded RSA public key. It is used to encode a signature for requests made to our server, and to decode the signature of requests coming from our server. For information about how to create and decode signatures see the authentication section of the documentation. You can rotate your API key any time, however your previous key will be immediately rendered inert.

You can find and generate your an API key here. To communicate with our system we require a signature on each request to ensure that both parties are who they say they are. In order to sign your requests to our servers, the first step is to generate an API key here. This will return a Base64 encoded RSA public key. The key is unique to each environment, so you will need a different key for the test and production environments. You will need to know your partner ID, which is available below, to create the signature.

Your partner ID: 85

String Value of your partner ID: "085"

In the calculation of the signature use an integer for your partner ID, everywhere else use a string

Be sure to specify pkcs1 padding when utilising the public key encrypt function of your RSA key, if that is not the default padding of your language of choice.

Example code for creating the signature

> Calculating your outgoing signature:
api_key = <Your API key>
partner_id = "<Your partner ID>"
timestamp =
hash_signature = Digest::SHA256.hexdigest([partner_id.to_i, timestamp].join(":"))
public_key =
signature = [Base64.encode64(public_key.public_encrypt(hash_signature)), hash_signature].join('|')

> Make sure to replace partner_id with your Partner ID.
> Make sure to replace api_key with your API key.
> Calculating an incoming signature:

api_key = "<Your api key>"
partner_id = "<Your partner ID>"
timestamp = body["timestamp"]
hash = Digest::SHA256.hexdigest([partner_id.to_i, timestamp].join(":"))
encrypted, hashed = body["sec_key"].split("|")
success = == hash && hash == hashed
## success should equal true

> Make sure to replace partner_id with the String Value of your Partner ID.
> Make sure to replace api_key with your API key.

Last updated