Security
Security schemas
Below are the different security schemas for the API and the webhooks.
API access oauth2
The API uses OAuth2 with client credentials grant for access. Replace YOUR_CLIENT_ID, YOUR_CLIENT_SECRET and YOUR_SELECTED_SCOPES.
curl --request POST \
--url http://api.opencard.local/oauth/token \
--header 'accept: application/json' \
--header 'content-type: multipart/form-data; boundary=---011000010111000001101001' \
--form grant_type=client_credentials \
--form client_id=YOUR_CLIENT_ID \
--form client_secret=YOUR_CLIENT_SECRET \
--form scope=YOUR_SELECTED_SCOPES
To obtain access to all scopes, use *
--form scope=*
Available scopes are listed below.
accounts-read
accounts-write
account-users-read
account-users-write
account-statistics-read
clients-read
clients-write
public-records-read
account-tpas-read
account-tpas-write
account-tpa-signatories-write
account-tpa-signatories-read
account-tpa-signatories-delete
organizations-read
organizations-write
webhooks-write
webhooks-read
webhook-events-read
webhook-headers-read
webhook-headers-write
webhook-headers-delete
files-read
card-holders-write
card-holders-delete
card-holders-read
card-issuers-read
billings-read
billings-write
receipts-write
environmental-impacts-read
Webhook
To authenticate the webhook request you can use either the X-Data-Signature header or use one of the predefined security schemas that OpenCard support.
X-Data-Signature:
You can use the header value x-data-signature to validate the payload of the webhook and to validate it is sent from OpenCard.
x-data-signature is sha256 hmac of the payload and the webhook secret:
$xDataSignature = hash_hmac('sha256', <json_payload>, <webhook_secret>)
if($xDataSignature !== $_SERVER['HTTP_X_DATA_SIGNATURE']) {
header("HTTP/1.1 401 Unauthorized");
exit;
}
using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(<webhook_secret>)))
{
byte[] hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(<json_payload>));
string xDataSignature = BitConverter.ToString(hash).Replace("-", "").ToLower();
if (xDataSignature != GetRequestHeader("HTTP_X_DATA_SIGNATURE"))
{
Console.WriteLine("HTTP/1.1 401 Unauthorized");
Environment.Exit(0);
}
}
const crypto = require('crypto');
const webhookSecret = /* Your webhook secret */;
const jsonPayload = /* Your JSON payload */;
const hmac = crypto.createHmac('sha256', <webhook_secret>);
const hash = hmac.update(<json_payload>).digest('hex');
const xDataSignature = hash.toLowerCase();
if (xDataSignature !== getRequestHeader('HTTP_X_DATA_SIGNATURE')) {
console.log('HTTP/1.1 401 Unauthorized');
process.exit(0);
}
Authentication header
Select "use authentication" when configuring your webhooks. This allows you to select from 3 different authentication schemes:
- Key / value HTTP header
- Basic auth
- Oauth2, client credential grant
Updated 8 months ago