The Spektrix system allows our clients to collect and report on the booking habits of their customers. In doing so a lot of sensitive data about our clients’ customers are stored on our servers. Spektrix has been authorized by our clients to process and manage their data in an appropriate and secure manner. By gaining access to our API you will have access to this data and are therefore also responsible for using it appropriately and securely.
The Spektrix API has been designed with security in mind. We use industry standard SSL encryption to protect data in transit and access to sensitive data and some functionality requires authentication.
Signing and Authenticating Requests
API requests that require authentication must contain your API Login Name must be signed with your API Secret Key. These can be obtained from a Spektrix user who has Settings access to the system in question.
The API Secret Key is base-64 encoded, and must be decoded before use in the HMAC step of the Authentication process.
GET api/v3/customers/I-AK11-1ATK Host: system.spektrix.com Date: Mon, 01 Jan 2020 19:37:58 +0000 Authorization: SpektrixAPI3 TestLogin:frJIUN8DYpKDtOLCwo//yllqDzg=
Constructing the Authorization Header
Authorization = "SpektrixAPI3 " + LoginName + ":" + Signature; Signature = BASE-64-ENCODE( HMAC-SHA1( BASE-64-DECODE(SecretKey), UTF-8( StringToSign ) ) ); StringToSign = HTTP-Method + "\n" + HTTP-Uri + "\n" + HTTP-Date + [ "\n" , BodyStringToSign ]; BodyStringToSign = BASE-64( MD5( UTF-8( body ) ) )
- If the request has a body, construct BodyStringToSign as follows:
- UTF-8 encode the contents of the request body;
- MD5 sum the result;
- then base-64 encode the MD5 sum.
- Construct StringToSign by appending:
- the HTTP method (in upper case);
- a newline ("\n");
- the uri;
- a newline ("\n");
- the contents of the Date header;
- and, if there is a body, a newline then BodyStringToSign.
- Construct Signature as follows:
- UTF-8 encode StringToSign;
- base-64 decode the Secret Key;
- calculate the SHA1 HMAC of the utf-8 encoded string using the base64-decoded Secret Key;
- base-64 encode the SHA1 HMAC result.
- Finally, form the Authorization header value by appending
- a space;
- your API login name;
- a colon (" : ");
- and the Signature string calculated as above.