guideRequest signature

# Request signature overview

The safest solution is to only use communication over HTTPS, but there may be cases when HTTPS communication between the system and CKEditor Cloud Services is not possible, and only HTTP communication can be used. Therefore, to secure both situations, CKEditor Cloud Services uses the HMAC algorithm to secure the connections between systems.

# Algorithm

Each request sent from or received by CKEditor Cloud Services should have the following headers:

  • X-CS-Timestamp
  • X-CS-Signature

The X-CS-Timestamp value should be the number of milliseconds elapsed since January 1, 1970 00:00:00 UTC, for example, returned by Date.now() in node/JavaScript.

The signature is generated using the SHA-256 algorithm using one of API secrets as a secret and based on the following data:

  • HTTP method – GET, POST, PUT, DELETE.
  • URL – The path of the URL.
    For https://docs.cke-cs.com/api/v5/docs?page=1 this is just /api/v5/docs?page=1.
  • timestamp – The same value as in the X-CS-Timestamp header.
  • body – A string from the body for POST and PUT or an empty string for other methods.

For generating Webhooks request signature you will need to use the API secret which is selected as “Use with Webhooks”.

If there is no API secret selected, then API secret from the “API configuration” tab will be used.

The above data should be combined into one string in the following way:

  • Convert the HTTP method name to an upper case string.
  • Add the URL (path name).
  • Add the timestamp.
  • Add the body converted to a string.

# Examples

Check an example of a request signature implementation in Node.js.
Check an example of a request signature implementation in ASP.NET.
Check an example of a request signature implementation in Java.
Check an example of a request signature implementation in PHP.
Check an example of a request signature implementation in Python 3.