ShopBack for Business
API Reference

Generating an HMAC Signature

The HMAC-SHA256 algorithm must be used to generate a request signature, which is calculated using your accessKeySecret ​key.

1. Create a content digest for your request body. The keys within the request body should be ordered alphabetically before the digest is generated.

contentDigest = sha256(stringify(requestBody));

2. Generate the string to sign by combining HTTP method, request content type, date-time in ISO-8601 format (also required in header params), fully qualified request path with query parameters (if any), and the content digest (from step 1) with a newline in between each parameter.

Note: Please follow this specific ordering of parameters.

POST
application/json
2022-08-22T02:29:33.123Z
https://integrations-sandbox.shopback.com/posi-sandbox/v1/instore/order/create
a4c198145e81b2904788cf3bb0385276b15962903b1a0d8de0ccf57909cf38bc

3. Sign this string with your accessKeySecret.

4. Generate hex encoded string from step 3 to generate hmac_signature

5. Attach the HMAC Signature in the Authorization header in this format SB1-HMAC-SHA256 accessKeyId:hmac_signature.

Example Code

const crypto = require('crypto');
const _ = require('lodash')
const ACCESS_KEY_SECRET_EXAMPLE = 'f33679f2ae892fd89ceefc409934e49f';

function createSHA256Digest(sortedBody) {
  if (_.isEmpty(sortedBody)) {
    return '';
  }
  const hash = crypto.createHash('sha256');
  hash.update(JSON.stringify(sortedBody));
  return hash.digest('hex');
}

function createHmacSignature(str, secret) {
  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(str);
  return hmac.digest('hex');
}

function computeRequestSignature(req, secret) {
  const { method, pathWithQuery, body, contentType, date } = req;
  const contentDigest = createSHA256Digest(body);
  const payload = `${method.toUpperCase()}\n${contentType}\n${date}\n${pathWithQuery}\n${contentDigest}`;
  return createHmacSignature(payload, secret);
}

function  alphabeticallySortBody(body: object) {
    return Object.keys(body)
      .sort()
      .reduce(
        (acc, key) => ({
          ...acc,
          [key]: body[key],
        }),
        {},
      );
  }

function main() {
  // Date should be specified in ISO 8601 UTC. Do not specify the time offset 
  // '2022-08-15T14:59:47.585Z' ✅
  // '2022-08-15T22:59:47.585Z+08' ❌
  const date = new Date().toISOString(); // to be used for Header param too. 
  
  const body = {
      referenceId: '352c530dd7f747161a5e6c990c720bec',
      currency: 'THB',
      posId: '802c987em7f747269a5e6c260c630kpl',
      amount: 1000,
    }
  const sortedBody = alphabeticallySortBody(body)
  // alphabetically-ordered keys in sortedBody 
  //  {
  //     amount: 1000,
  //     currency: 'THB',
  //     referenceId: '352c530dd7f747161a5e6c990c720bec',
  //     posId: '802c987em7f747269a5e6c260c630kpl',
  //   }

  const req = {
    method: 'POST',
    pathWithQuery: ' https://integrations-sandbox.shopback.com/posi-sandbox/v1/instore/order/create',
    body: sortedBody,
    contentType: 'application/json',
    date,
  };

  console.log(
    'hmac_signature: ',
    computeRequestSignature(req, ACCESS_KEY_SECRET_EXAMPLE),
  );
}

main();