HMAC authentication for Tokenly APIs

v1.2.0 2017-11-08 15:06 UTC

This package is not auto-updated.

Last update: 2020-09-16 21:07:59 UTC


The HMAC authentication component for Tokenly.

Build Status


To authenticate HTTP requests that use this component, you must include 3 HTTP headers with your request:

  1. X-Tokenly-Auth-Api-Token
  2. X-Tokenly-Auth-Nonce
  3. X-Tokenly-Auth-Signature

To generate these headers, you will need an API Token and a secret API Key.

Say my API Token is TWKTkwIQDTvirh6D and my API Secret key is Kun2M2UladalYAeUvXyiKWhFuwrsmSreM841K45O. Here is an explanation of each header.


This token is nothing more than the API Token.

Example: X-Tokenly-Auth-Api-Token: TWKTkwIQDTvirh6D


The nonce header is the current unix timestamp in seconds.

Example: X-Tokenly-Auth-Nonce: 1457530047


The signature is a base64 encoded string using sha256 HMAC. The key for the hash is the API Key. And the message is generated using the following data:


{METHOD} is the http method such as GET,POST,PUT,DELETE {URL} is the full URL of the api endpoint {PARAMETERS} are required and should be a JSON encoded string representing the parameters. For empty parameters, use {}. {API TOKEN} and {NONCE} are the same as send in the headers.

Items are separated with a single newline character.

After calculating the HMAC, encode the data in base64 format.


Using the values above and a request of GET, the signature header will be:

X-Tokenly-Auth-Signature: hZ6SDgcZzo5AYrS9yopEQo068ax0NojG/CfXWG+RJEA