hi @haresh.advani,

Just a quick look at your code and you've use the wrong line...for the request-target...for GET the line does not include content, so please review the Postman collection Pre-request script and note *exactly* what is required for each GET/PUT/PUSH/DEL/HEAD request

(request-target) host date content-type content-length"

CORRECT: (request-target) host date\",

Hi @haresh.advani,

Without knowing your environment (we do not support 3rd party SDKs or IDEs) and seeing the full code for the request your assembling, it's difficult to diagnose your issue. Please send me an email with more information, especially the request your are making as the GET/PUT/POST/HEAD/DEL all have different formats and are exacting depending on the request.

Brian

We use an industry standard, security appliance IBM DataPower and this will be your client accessing your API services. The code that signs and base 64 encodes the string is a custom Gateway script which supports ECMAScript, based on Javascript and Jscript.

The Get request our code made returned a 401 unauthorised response from you and the headers for the GET request is here:

Header in our code: (that returns a 401 unauthorized response)

[{"Date":"Thu,
16 Mar 2017 14:46:12 GMT"Authorization":"Signature
keyId=\"a4364e62-e58b-4b64-9c71-faead5417557\",algorithm=\"hmac-sha256\",headers=\"(request-target)
host date content-type content-length\",signature=\"4+wzapqhR2CCERy1VJXzHDDl6jdQ939FnqI2NIwQZnM=\""}] 

The technical requirement at our end is to use the API secret in hex format preceded by 0x.

Can you confirm that the API secret we have (/NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==) is in clear text format?

If no, can you provide the secret in clear text or in hex format?

If yes, can you please investigate at your end what is causing the 401 response?

Our GW script code is attached for reference:

apim.setvariable('gateway-host','rms-world-check-one-api-pilot.thomsonreuters.com','add');
apim.setvariable('gateway-url','/v1/','add');
apim.setvariable('api-key','a4364e62-e58b-4b64-9c71-faead5417557','add');
var date = new Date().toGMTString();
apim.setvariable('datasign', '(request-target): get ' + apim.getvariable('gateway-url') + 'groups' + '\\n' + 'host: '+apim.getvariable('gateway-host')  + '\\n' +'date: ' +date, 'add');
var crypto = require('crypto');
var myKey = 'Key_ThompsonReuters';
var hmac = crypto.createHmac('hmac-sha256', myKey);
var data2sign = apim.getvariable('datasign');
var result = hmac.update(data2sign).digest('base64');
apim.setvariable('authorisation','Signature keyId="' + apim.getvariable('api-key') + '",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="' + result + '"', 'add');
apim.setvariable('message.headers.Date', date, 'add');
apim.setvariable('message.headers.Authorization', apim.getvariable('authorisation'), 'add');

Hi @brian.bourgault,

We have updated the information can you please look into the same and let us know if the information is sufficient for your investigation.

Thanks,

Haresh

Hi @haresh.advani,

Response from development:

We provide the API secrets in plaintext, but using a limited set of ASCII characters that can each be converted to single byte values, so a byte array representation of the ASCII codepoints in the secret text string is equivalent to the ASCII representation of the text.

If the client needs to, they can convert the secret to an array of bytes and represent this byte sequence as a hex string, if their cryptography library requires this.

Also, I assume this key is the api secret key (you posted before)

/NoVqWHBRv23t5ae9OuQlODUX5yoAcJcFP8Z2nJldBkrsTCdqhRzGzrrTvD9EVqLgwTrXC4xKZ/Khfv6shMwAA==

var myKey = 'Key_ThompsonReuters';

Many Thanks Brian!!!

Perfect, that answers all my questions. I'm able to retrieve the groups successfully now. The changes that I had to make were:

1. Use the API secret as plain text

2. content-type and content-length removed.

Hi @haresh.advani,

Great, I assumed you were passing the plain text from earlier emails, the root cause of your issue was the target string without the content. Now be sure to check every request pre-request script for every request.

Brian

Cheers and Thanks Brian for the help!

Hi @haresh.advani,

I posted an example of "How-To" code the Authorization with API secret and Datasign.

Hope this helps,

Brian

For other 401 unauthorized errors, consider watching:

World-Check One API – Overview and Quick Start