This new flow follows a better security layer which includes payload as well as headers encryption-decryption.
- Every API call will comprise of newly encrypted header secrets and a pass key in the headers and the encrypted payload with the response body also being encrypted using AES-256 encryption.
- API Gateway team will share the Pass key, Client ID, Client Secret, API user name and Encryption Key for encrypting the Header Secrets and request-response Payload separately.
- Every API call should comprise of two headers i.e. pass_key and header_secret.
Parameter | Description | Data_type |
header_secrets | Encrypted header secret containing client_id, client_secret and timestamp(Epoch) | String |
pass_key | A separate pass key for each client. | String |
- The header_secret is the encrypted header data which is a JSON body containing the client_id, client_secret and epoch, encrypted with an AES encryption key shared by API Gateway team.
- The header_secret JSON should contain the following data.
Parameter | Description | Data_type |
client_id | API user’s client ID, to be provided by API Gateway team. | String |
client_secret | API user’s client secret key, to be provided by API Gateway team. | String |
epoch | A timestamp up to seconds e.g.1727954878 | String |
1.Sample JSON header_secrets to be encrypted:
{
“Client_id”: To be provided later, "client_secret": To be provided later, "epoch":"1727954878124" } |
2. Every request payload should be encrypted using the same encryption Key used for header encryption using AES256 algorithm and should be shared in the following format:
{
"RequestData" : "KyiXL/YzPPEE12/dE482Di1mFVhKsmctByNEvKTZHPTDt2v+p8aIj9qc8HPwvqpWOyCo/ K0OqitfNqU1t8KuMZJqdZrd1jmQuYfZAbi+143MyvHXqKbXyQJ1S2DTWsN2UkHt08IKuzdRNGvdu65IC mtkggYxS03JIK0ihDDt6tzPaWleSwviP LL7UsHMTJ3CG+a0BzHlRqaCW0ilT3y7minwAfDsBJEB5kfahflahfa" } |
Below response client will get
{
"ResponseData": "R4dcjsGEYXOWPRP9t8x8s8mJ6hNQT4FWii2WCfR4pKxeXzioW8WDokqs3a3VDWr/ mELpJRWpXw3+Z0fp/0En/BNgvjjENmmCcC8qm1gYi8wIv2VuvRBy 3012VOvK3J2ZlKDfQd2+ApsQI7ESDe/eoA==" } |
The above response payload needs to be decrypted using the same shared Encryption Key for Request-Response Payload.
Notes:
|
Clients | Header Encryption, AES Keys | Payload Encryption and Decryption AES Keys |
Client A | 1.pass_key 2.Header_secrets Key a |
Key a |
Client B | 1.pass_key 2.Header_secrets Key b |
Key b |
Client C | 1.pass_key 2.Header_secrets Key c |
Key c |
Client D | 1.pass_key 2.Header_secrets Key d |
Key d |
Sample Curl Command:
curl --location : Specified URL
header 'header_secrets: pl1S9rCtOH1/kGkGNSfBSC3913SuEMq39syKL0OPC435bqZNq7wvn8lqbRnkb WchSRoFD72UM8CYmie5UGQrZh8y57JwmGubQT/SIGy7tYkWEu/ 14MvpxX2oB4uNRuIYLrJD2zL0WA1gNM0+EHko0x9kfDXP1jF7IKubah9F9RkEOvzUJaI+hF Q3qrDv9vE57JLwecYG1/V/8irDvmRJug==' \ header 'pass_key: l29o3OZFWoE8qEKah9rnrNEvquSytJqEKah9DVEPVR' \ header 'Content-Type: application/json' \ data: '{ "RequestData": "S7klEFPI7bWmnTB7FrFIO4YVx7Hu982zVUMAWOBGvXEiRVyKO1RyGNS0huzvBeuvQJFRkCnkbWchSR oFD72UM8CYmie5UGQrZh8y57JwmGubQT/SIGy7tYkWEu/ 14MvpxX2oB4uNRuIeq4tLEkjP5DcaWNg60ODFmaZiDznK1Q0RfmwI=" }' |