For a deeper look into our World Check One API, look into:

Overview |  Quickstart |  Documentation |  Downloads

question

Upvotes
Accepted
32 2 0 4

how can i get more info from 401 unauthorized response?

Hello, im trying to connect to the WC1 API, and im getting 401. how can i know where is the problem.

here is my header from last request:

{'Date': 'Sun, 03 Mar 2019 14:53:44', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date",signature=b\'S5wGW9KgVsrOF8tIluOo4YkFUDFLChZNGQInW8y17Og=\''}

and here is the response headers:

{'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Sun, 03 Mar 2019 14:53:43 GMT', 'Server': '""'}

world-checkworld-check-one
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

10 Answers

Upvotes
Accepted
2.4k 5 5 5

@meirr

Yes, you're right if you compare the signature from the working postman request (sXm4gi7c2TjkPf/JRKMFahJdvpnWZmf+lonI5ekAYDY=) and signature from the request you provided (uRI4YC4yRzIeznKmzJYFIYy6Dc8Ffhe4p8/azId6CNI=) it is different, this is definitely the reason for failure. I believe the HMAC signature formation is happening incorrectly in your python code.

kindly go through the code example mentioned on the developer portal under the downloads tab for your reference.

https://developers.refinitiv.com/en/api-catalog/customer-and-third-party-screening/world-check-one-api/downloads

Regards,

Mehran Khan

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
2.4k 5 5 5

Hi @meirr ,

401 errors occur because the request has failed an authorization check. This can happen for a variety of reasons, such as

a) An invalid or expired API key,

b)An invalid HMAC signature.

c) Request timing issue/problem with the Date header value. The API client should ensure a correctly synchronized clock is used to generate request timestamps.

d)Incorrect JSON payload formation at the customer’s end that can cause them to observe 401 response.

From your request & response headers, I see that your response time is earlier than your request time, ensure that the date header value that you are sending is in sync with the NTP or the GMT clock for the API call to succeed.

API messages are validated by timestamps, to help guard against replay attacks. Messages are only considered valid if they are processed at the point in time corresponding to their Date request header. A small buffer is used in this calculation to allow for minor clock drifts, discrepancies between client and server clocks, and data transfer round trip times. It is advised that when integrating with the World-Check One API, the machines involved in API communication are properly time synchronised via NTP to help prevent any message validity issues.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
32 2 0 4

thank you for your answer,

it seems like i tried everything and i still get 401.

im trying to check if a caseId exists

here is my headers:

{'Date': 'Mon, 04. Mar 2019 10:29:01 GMT', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="yzYrvNTKV5ldDhiOLw1+glELuTro9RUYXE+Dmz2JWP8='}

and here are the response headers:

{'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar 2019 10:29:02 GMT', 'Server': '""'}

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
2.4k 5 5 5

@meirr

Can you provide me the complete request and response so that I can investigate this in detail?

Regards,

Mehran Khan

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
32 2 0 4

Below are the request & response


REQUEST:

Header: {'Date': 'Mon, 04. Mar 2019 10:37:56 GMT', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date",signature="dMdbcN7zXHvLaH+zuR5RmerfT8vUaSjwQUiqkCe/R5k="'}

Params: {“caseId”: "ae59c753-c6f3-4d02-97fd-64d6b9356944" }

URL: https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/caseIdentifiers

Method: HEAD

RESPONSE:

Headers: {'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar 2019 11:04:30 GMT', 'Server': '""'}

Response code:401

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
2.4k 5 5 5

@meirr

The difference between the requested time and API clock time shouldn’t be >30 seconds. When it’s more than 30 seconds you get a 401. As you can see from your request and response the difference is almost 27 minutes that is the reason why you're seeing a 401, kindly ensure that that the date time value that you're sending is in sync with the NTP or the GMT clock for the API call to succeed.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
32 2 0 4

Apologizes: My mistake here is the new transaction I just made

the difference between send & receive is 3 sec

REQUEST:

{'Date': 'Mon, 04. Mar 2019 11:41:46 GMT', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date",signature="uRI4YC4yRzIeznKmzJYFIYy6Dc8Ffhe4p8/azId6CNI="'}

Params: {“caseId”: "ae59c753-c6f3-4d02-97fd-64d6b9356944" }

URL: https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/caseIdentifiers

Method: HEAD

RESPONSE:

Headers: {'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar 2019 11:41:49 GMT', 'Server': '""'}

Code: 401

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
2.4k 5 5 5

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
2.4k 5 5 5

@meirr

I tried replicating the issue using your keys i was able to successfully fire the API

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

HEAD /v1/caseIdentifiers Date: Mon, 04 Mar 2019 12:15:51 GMT Authorization: Signature keyId="2f392296-1ddc-4568-a73c-0d06ace*****",algorithm="hmac-sha256",headers="(request-target) host date",signature="bVsDWVeI2b2MuafRQapgTf0xKhKfw1x7t7LUTz8weqM=" cache-control: no-cache Postman-Token: ab3ab0d7-d895-4ac7-b0a2-0c89e22ec94f User-Agent: PostmanRuntime/7.6.0 Accept: */* Host: rms-world-check-one-api-pilot.thomsonreuters.com accept-encoding: gzip, deflate content-length:

HTTP/1.1 200 status: 200 X-Application-Context: application Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Content-Type-Options: nosniff Date: Mon, 04 Mar 2019 12:15:50 GMT Content-Length: 0 Server: ""

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I would suggest you to recheck the credentials being passed and also delete the existing postman collection and re import the same and try.

Let me know your findings.

Regards,

Mehran Khan

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
32 2 0 4

hi, postman is working on my side also, thats not the problem.

im having problems in my python app.

maybe do you have code examples for python or even php? the only problem that i can think about is incorrect signature..

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Click below to post an Idea Post Idea