Signature

The Signature element is the RFC 2104 HMAC-SHA1 of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request.

Component

Description

HTTP method

GET, POST, PUT, PATCH

MD5 hash sum of the string with JSON-serialized parameters

If there are no parameters in the request body (e.g. GET), you then need to place just an empty string ""

Content-Type

application/json

Date

HTTP-date format e.g. Tue, 15 Nov 1994 08:12:31 GMT. The time offset is 10 minutes

Request URI

Everything that is after the base URL e.g. /api/invoices

Here is a piece of pseudo-code that demonstrates the Authorization header construction. \n means the Unicode code point U+000A, commonly called newline:

StringToSign = HTTP-Verb + “\n” +
Content-MD5 + “\n” +
Content-Type + “\n” +
Date + “\n” +
Path
Signature = Base64( HMAC-SHA1( Api.secret, UTF-8-Encoding-Of( StringToSign ) ) );
Authorization = Api.key + “:” + Signature;

Make sure that the date used for signature is the same you put in the header