Security Requirements

API Key

All requests from the partner to Gotadi's system must include the following headers to support security operations and data statistics for Gotadi:

  • apikey: <api_key>

  • x-ibe-req-name: <access_code>

Note

The <api_key> and <access_code> values ​​are provided by Gotadi to the Partner.


Digital signature

Some important APIs require a digital signature to be attached to the request and response for authentication.

Generating a Digital Signature

The sender applies the RSA-SHA256 algorithm combined with their own Private Key to sign the digital signature on the signature data.

Note: The schema for constructing the signature data will be specifically described in each API.

Java example code

public static String signRSA(String signatureData, String xmlPrivateKey) throws Exception {
    PrivateKey privateKey = getPrivateKeyFromXML(xmlPrivateKey);
    Signature instance = Signature.getInstance("SHA256withRSA");
    instance.initSign(privateKey);
    instance.update(signatureData.getBytes("UTF-8"));
    byte[] signature = instance.sign();
    return Base64.encodeBase64String(signature);
}
Digital signature verification

The receiver uses the RSA-SHA256 algorithm and the sender's Public Key to verify the signature created by the sender.a.

Java example code

public static boolean verifyRSA(String signedData, String signature, String xmlPublicKey) throws Exception {
    PublicKey publicKey = getPublicKeyFromXML(xmlPublicKey);
    Signature instance = Signature.getInstance("SHA256withRSA");
    instance.initVerify(publicKey);
    instance.update(signedData.getBytes("UTF-8"));
    return instance.verify(Base64.decodeBase64(signature));
}

Last updated