This new flow follows a better security layer which includes payload as well as headers encryption-decryption.

  1. Every API call will comprise of newly encrypted header secrets and a pass key in the headers and the encrypted payload with the response body also being encrypted using AES-256 encryption.
  2. API Gateway team will share the Pass key, Client ID, Client Secret, API user name and Encryption Key for encrypting the Header Secrets and request-response Payload separately.
  3. Every API call should comprise of two headers i.e. pass_key and header_secret.
Parameter Description Data_type
header_secrets Encrypted header secret containing client_id, client_secret and timestamp(Epoch) String
pass_key A separate pass key for each client. String
  1. The header_secret is the encrypted header data which is a JSON body containing the client_id, client_secret and epoch, encrypted with an AES encryption key shared by API Gateway team.
  2. The header_secret JSON should contain the following data.
Parameter Description Data_type
client_id API user’s client ID, to be provided by API Gateway team. String
client_secret API user’s client secret key, to be provided by API Gateway team. String
epoch A timestamp up to seconds e.g.1727954878 String

1.Sample JSON header_secrets to be encrypted:

{
“Client_id”: To be provided later,
"client_secret": To be provided later,
"epoch":"1727954878124"
}

2. Every request payload should be encrypted using the same encryption Key used for header encryption using AES256 algorithm and should be shared in the following format:

{
"RequestData" :
"KyiXL/YzPPEE12/dE482Di1mFVhKsmctByNEvKTZHPTDt2v+p8aIj9qc8HPwvqpWOyCo/
K0OqitfNqU1t8KuMZJqdZrd1jmQuYfZAbi+143MyvHXqKbXyQJ1S2DTWsN2UkHt08IKuzdRNGvdu65IC
mtkggYxS03JIK0ihDDt6tzPaWleSwviP 
LL7UsHMTJ3CG+a0BzHlRqaCW0ilT3y7minwAfDsBJEB5kfahflahfa"
}

Below response client will get

{
"ResponseData":
"R4dcjsGEYXOWPRP9t8x8s8mJ6hNQT4FWii2WCfR4pKxeXzioW8WDokqs3a3VDWr/
mELpJRWpXw3+Z0fp/0En/BNgvjjENmmCcC8qm1gYi8wIv2VuvRBy 
3012VOvK3J2ZlKDfQd2+ApsQI7ESDe/eoA=="
}

The above response payload needs to be decrypted using the same shared Encryption Key for Request-Response Payload.

Notes: 

  • A check has been implemented at the Gateway end where the epoch is validated and throws an epoch timeout error if the epoch is more than 5 mins old.
  • Encrypt the header JSON data using the Encryption Key for Header Secrets using AES256 algorithm and share it in the header_secrets key in the header. It is required to generate every time while consuming the API. In Header also required to send a pass_key which is shared by the API Gateway team.
  • The key that will be used to encrypt the payload and header_secrets are the same.
  • While the same key can be used to decrypt the response JSON.
  • AES Encryption key will be client specific i.e. separate for each client.
  • Algorithms for the encryption and decryption will be shared from the API Gateway team separately.
  • Only the success responses will be sent in an encrypted format from the gateway end, other responses will be sent in normal JSON or as it is.
Clients Header Encryption, AES Keys Payload Encryption and Decryption AES Keys
Client A 1.pass_key
2.Header_secrets Key a
Key a
Client B 1.pass_key
2.Header_secrets Key b
Key b
Client C 1.pass_key
2.Header_secrets Key c
Key c
Client D 1.pass_key
2.Header_secrets Key d
Key d

Sample Curl Command:

curl --location : Specified URL
header 'header_secrets: pl1S9rCtOH1/kGkGNSfBSC3913SuEMq39syKL0OPC435bqZNq7wvn8lqbRnkb 
WchSRoFD72UM8CYmie5UGQrZh8y57JwmGubQT/SIGy7tYkWEu/
14MvpxX2oB4uNRuIYLrJD2zL0WA1gNM0+EHko0x9kfDXP1jF7IKubah9F9RkEOvzUJaI+hF 
Q3qrDv9vE57JLwecYG1/V/8irDvmRJug==' \
header 'pass_key: l29o3OZFWoE8qEKah9rnrNEvquSytJqEKah9DVEPVR' \
header 'Content-Type: application/json' \
data:
'{
"RequestData":
"S7klEFPI7bWmnTB7FrFIO4YVx7Hu982zVUMAWOBGvXEiRVyKO1RyGNS0huzvBeuvQJFRkCnkbWchSR
oFD72UM8CYmie5UGQrZh8y57JwmGubQT/SIGy7tYkWEu/
14MvpxX2oB4uNRuIeq4tLEkjP5DcaWNg60ODFmaZiDznK1Q0RfmwI="
}'