HMAC Authentication Method

HMAC Authentication Method

If you are starting to use Price2Spy or its REST API interface please follow the steps below. If you are an existing Price2Spy client who is already using our REST API and need access to the old documentation, please find it under ‘Old authentication method’.


You can authenticate HTTP requests by using the HMAC-SHA256 authentication scheme. (HMAC refers to hash-based message authentication code.) These requests must be transmitted over TLS.


Provide each request with all HTTP headers required for authentication. The minimum required are:

Request header Description
Host Internet host and port number. (
X-P2S-Date Date and time at which the request was originated. It can’t be more than 15 minutes off from the current Coordinated Universal Time (Greenwich Mean Time). The value is in UNIX Epoch format.
Authorization Authentication information required by the HMAC-SHA256 scheme. Format and details are explained later in this article.


X-P2S-Date: 1700417770
Authorization: HmacSHA256 {Client_ID}:{Signature}

For POST and PUT requests. If DELETE request has a body, it must be provided as well.

Request header Description
Content-Type This header must be "application/json"

Authorization header


Authorization: HmacSHA256 {Client_ID}:{Signature}
Argument Description
HmacSHA256 Authorzation scheme (required).
Client ID Your Client ID. (required)
Signature base64 encoded HmacSHA256 of String-To-Sign. (required)

Client ID

Value of the client ID used to compute the signature.


Base64 encoded HmacSHA256 hash of the String-To-Sign. It uses the Client Secret identified by Client ID. base64_encode(HMACSHA256(String-To-Sign, Client_Secret))


It is a canonical representation of the request:

HTTP_METHOD + ‘\n’ +

host_with_port + ‘\n’ +

content_type + ‘\n’ +

resource_path + ‘\n’ +

date_in_unix_epoch + ‘\n’ +


Argument Description
HTTP_METHOD Uppercase HTTP method name used with the request. For more information, see section 9.
host_with_port Internet host and port number. (
content_type This header must be “application/json” for POST and PUT requests. If DELETE request has a body, it must be provided as well.
resource_path Concatenation of request absolute URI path and query string. For more information, see section 3.3.
date_in_unix_epoch This header must be UNIX Epoch time and must be within 15 minutes of the current time. This date is included to prevent replay attacks.
request_payload Request body in JSON format. It must be provided even if there is no body. For requests without a body an empty string can be provided.

Generating the signature:

Example POST




{“active”: true}

Example GET



“” Just an empty string for the payload, does not represent actual qoutation marks.

HMAC-related errors

{“message”:”Hmac signature mismatch”}

HMAC signature mismatch – The client-generated hash value and the server-generated hash value do not match.

{“message”:”Authorization header with HmacSHA256 scheme not provided”}

Provide a valid Authorization HTTP request header.

{“message”:”Hmac invalid timestamp header”}

Timestamp header not provided in the correct format.

{“message”:”Hmac missing timestamp header”}

Timestamp header not provided in the request.