Developer Hub

Signature authentication

Rapid's signature authentication method is required for all API requests.

API key authentication and access

You'll use the HTTP authorization header to transmit your API key and a SHA-512 signature hash with each request. The signature hash consists of your API key, shared secret, and a UNIX timestamp.

Don't have an API key? Information and instructions on setting up your account can be found on the getting started page.

Creating your authorization header

Rapid expects your authorization header to use the format below, note the required EAN prefix. This prefix ensures the correct authorization rules are applied to your request.

Authorization: EAN APIKey=yourAPIKey,Signature=sha512Hash,timestamp=yourUNIXTimestamp

Your signature value is the unsalted SHA-512 hash of the concatenation of your API key + shared secret + UNIX timestamp in seconds.

Your timestamp value must be the same value used to generate your signature. If a different timestamp value is provided, Rapid will not be able to verify your signature hash value and your request will be rejected.

Here is an example complete authorization header:

Authorization: EAN APIKey=dkc4wrkp7w58wx5v2jxen2kx,Signature=Mgup2Azf,timestamp=1476739212

Verifying your authorization header

Test your own code against the Rapid Signature Generator before attempting test requests.

Note: NTP clock sync

Rapid syncs internal server times using Network Time Protocol (NTP). If you use NTP as well, clock sync issues should not occur. Most modern operating systems support this or similar time sync services, check your OS documentation. The system accepts timestamps up to five minutes before or after the server timestamp to accommodate for reasonable clock drift.

Signature Generation code samples

PHP

$apiKey = "abcdefg";
$secret = "1a2bc3";
$timestamp = time();
$authHeader = 'Authorization: EAN APIKey=' . $apiKey . ',Signature=' . hash("sha512", $apiKey.$secret.$timestamp) . ',timestamp=' . time();

JavaScript

var crypto = require('crypto');
var request = require('request');
var apiKey = '123';
var secret = '123';
var timestamp = Math.round(new Date().getTime() / 1000);
var hash = crypto.createHash('sha512').update(apiKey + secret + timestamp).digest('hex');
var authHeaderValue = 'EAN APIKey=' + apiKey + ',Signature=' + hash + ',timestamp=' + timestamp;

Java

import java.io.UnsupportedEncodingException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Timestamp;
import java.util.Date;
String apiKey = "123";
String secret = "123";
Date date= new java.util.Date();
Long timestamp = (date.getTime() / 1000);
String signature = null;
try {
   String toBeHashed = apiKey + secret + timestamp;
   MessageDigest md = MessageDigest.getInstance("SHA-512");
   byte[] bytes = md.digest(toBeHashed.getBytes("UTF-8"));
   StringBuilder sb = new StringBuilder();
   for(int i=0; i< bytes.length ;i++){
       sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
   }
   signature = sb.toString();
} catch (NoSuchAlgorithmException e) {
   e.printStackTrace();
} catch (UnsupportedEncodingException e) {
   e.printStackTrace();
}
String authHeaderValue = "EAN APIKey=" + apiKey +  ",Signature=" + signature + ",timestamp=" + timestamp;

Python

#!/usr/bin/env python
import hashlib
import time
apiKey = "123"
secret = "123"
timestamp = str(int(time.time()));
authHeaderValue = "EAN APIKey=" + apiKey + ",Signature=" + hashlib.sha512(apiKey+secret+timestamp).hexdigest() + ",timestamp=" + timestamp

Ruby

require 'digest'
apiKey="123"
secret="123"
timestamp = Time.now.to_i
toBeHashed = "#{apiKey}#{secret}#{timestamp}"
signature = Digest::SHA2.new(512).hexdigest(toBeHashed)
authHeaderValue = "EAN APIKey=#{apiKey},Signature=#{signature},timestamp=#{timestamp}"

C#

String apiKey = "123";
String secret = "123";
TimeSpan epochTicks = new TimeSpan(new DateTime(1970, 1, 1).Ticks);
TimeSpan unixTicks = new TimeSpan(DateTime.UtcNow.Ticks) - epochTicks;
double unixTime = (int)unixTicks.TotalSeconds;
var toBeHashed = apiKey + secret + unixTime;
var bytes = System.Text.Encoding.UTF8.GetBytes(toBeHashed);
using (var hash = System.Security.Cryptography.SHA512.Create())
{
   var hashedInputBytes = hash.ComputeHash(bytes);
   var hashedInputStringBuilder = new System.Text.StringBuilder(128);
   foreach (var b in hashedInputBytes)
       hashedInputStringBuilder.Append(b.ToString("X2"));
   var signature = hashedInputStringBuilder.ToString();
   var authHeaderValue = "EAN APIKey=" + apiKey + ",Signature=" + signature +",timestamp=" + unixTime;
}

Perl

use strict;
use Crypt::Digest::SHA512 qw(sha512_hex);
my $apiKey = '123';
my $secret = '123';
my $timestamp = time;
my $sig = sha512_hex($apiKey . $secret . $timestamp);
my $authHeaderValue = "EAN APIKey=".$apiKey.",Signature=".$sig.",timestamp=".$timestamp;
print $authHeaderValue;

GoLang

apiKey := "123"
secret := "123"
timestamp := strconv.FormatInt(time.Now().Unix(), 10)
c := sha512.New()
c.Write([]byte(apiKey + secret + timestamp))
signature := hex.EncodeToString(c.Sum(nil))
authHeaderValue := "EAN APIKey=" + apiKey + ",Signature=" + signature + ",timestamp=" + timestamp

Protecting your shared secret

The shared secret provided to you is critical to the security of your request data – treat it like a password. Never include the raw value in any publicly accessible site or app code. You will be provided with a shared secret and an API key when you are approved to integrate Rapid.

See also

Guest Reviews

Signature Generator

EPS Notification Tester

COVID-19 Rapid updates

Did you find this page helpful?
How can we improve this content?
Thank you for helping us improve Developer Hub!

Privacy Statement Cookie Statement Terms of Use

Expedia, Inc. is not responsible for content on external websites.
© 2024 Expedia, Inc., an Expedia Group company. All rights reserved. Expedia and the Airplane Logo are trademarks or registered trademarks of Expedia, Inc. CST# 2029030-50.