On March 31, 2016, we changed our authentication protocols.  All associated PUT/GET APIs require the use of a HMAC-SHA256 signing algorithm. Instead of email and passwords in API URLs, they will include only your seller ID.  API calls require a keyed-hash message authentication code mechanism.

The format of the authorization header would be : HMAC-SHA256<white space>emailaddress=<email address>,timestamp=<timestamp>,signature=<signature>

As an example, “authorization:HMAC-SHA256 emailaddress=test@searshc.com,timestamp=2016-02-11T20:23:05Z,signature=bf4ece266c47538d793b296fa772e9ea299611c6c6e48841f4e66a4f994bed26″

How to create a new signature

The new signature algorithm needs two inputs:

1. String to Sign
2. Secret Key

 “String to Sign”:

The format to generate this will be: Seller id:Emailaddress:CurrentTimestamp. For example, if the “String to Sign” string is: 1234:test@searshc.com:2016-02-11T20:23:05Z

• Seller ID = seller’s account id in Seller Portal
• Email address = their actual email address that sellers pass in their API calls
• CurrentTimestamp = the current time stamp in UTC time zone with format “yyyy-MM-dd’T’HH:mm:ss’Z’”.

Secret Key:

Every seller will be provided with a base64 encoded secret key. Sellers can log into Seller Portal to generate their key from their “Account Info” page.  (Once logged in, click on your name in the upper right and then Account Info.)

Create a new signature

Sellers could use any programming language APIs to create this signature.

For reference, use this URL: http://www.freeformatter.com/hmac-generator.html – “Select a message digest algorithm” SHA256.

Once the request reaches Seller Portal server, we will validate the signature provided by the seller using the inputs provided to authenticate the API calls.