Generate Authentication Token
Accessing and manipulating user data through the APIs requires a signed authentication token in the HTTP headers.
Signing Authentication Token
In Go language:
func SignAuthenticationToken(uid, sid, privateKey, method, uri, body string) (string, error) {
expire := time.Now().UTC().Add(time.Hour * 24 * 30 * 3)
sum := sha256.Sum256([]byte(method + uri + body))
claims := jwt.MapClaims{
"uid": uid,
"sid": sid,
"iat": time.Now().UTC().Unix(),
"exp": expire.Unix(),
"jti": UuidNewV4().String(),
"sig": hex.EncodeToString(sum[:]),
"scp": "FULL",
}
priv, err := base64.RawURLEncoding.DecodeString(privateKey)
if err != nil {
return "", fmt.Errorf("Bad ed25519 private key %s", privateKey)
}
// more validate the private key
if len(priv) != 64 {
return "", fmt.Errorf("Bad ed25519 private key %s", priv)
}
token := jwt.NewWithClaims(Ed25519SigningMethod, claims)
return token.SignedString(ed25519.PrivateKey(priv))
}
An example of a signed authentication token:
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MzMwOTY0ODUsImlhdCI6MTUyNTMyMDQ4NSwianRpIjoiMjU5NGFkNTctOWRhZC00MjRmLTg1OTUtYjE0NzI3ZTI0ZTYxIiwic2lkIjoiYzA5Y2YzMTMtN2RlZC00MjVkLWFkM2YtYTFjZTRjZmQ1ZTVlIiwic2lnIjoiODVkZDIzOGE5ODM0NzE3ZGMxM2QzODQ0ZjYzYTFmZWUxM2Q4MmQyZTZjMmVlNDRlYWM3Yzc5MGY1ZGIyNWY4OCIsInVpZCI6Ijg5ZTBiZGVlLWMzNTUtNDdmMi05NDVhLWJlNDhiZTg3NTYwNiJ9.PYg6Cx5grs0flJe862R3VLEWKyTZPcXOGYF9RouztgR_mi3kleIzJt4vCwUZI9F7QrHBFMtTc3_wG_ymnnjsmnm0pBdoON4I-RxeaztIlyc1Ey9lLFe6_ARRUBXo_15ZORilS1hRdMREd84eQOLlO0ChieBPY0tSSiVqTaFZt3Q
Calling APIs
const (
userId = ""
sessionId = ""
privateKey = ""
)
func main() {
uri := "https://mixin-api.zeromesh.net"
path := "/me"
token, err := SignAuthenticationToken(userId, sessionId, privateKey, "POST", path, "")
if err != nil {
println(err)
return
}
req, err := http.NewRequest("GET", uri+path, bytes.NewReader(nil))
if err != nil {
println(err)
return
}
httpClient := &http.Client{}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", "Bearer "+token)
req.Header.Set("X-Request-Id", uuid.NewV4().String())
resp, err := httpClient.Do(req)
if err != nil {
println(err)
return
}
defer resp.Body.Close()
if resp.StatusCode >= 500 {
println(err)
return
}
println(ioutil.ReadAll(resp.Body))
}
- The signed authorization token cannot be reused, please regenerate it every time you request.
X-Request-Id
is used to identify the current request,