Authentication ​

Tillo's authentication system is based on the HMAC process, where a signature string is built up using information from the request body and hashed using your Secret from the previous step.

As we're going to be making a request for a digital gift card using the /digital/issue endpoint, the signature string should be made from the following elements:

• API Key
• HTTP Method
• endpoint slug
• client request ID
• brand identifier
• UTC Timestamp in milliseconds

Client Request ID ​

The Client Request ID should be unique for every request you make, so using something like a uuid or random hashed string can work well.

Signature String ​

The signature string is made from the elements listed above concatenated into one string with dashes between each.

In this example, we'll make a request for an Amazon gift card. This means the signature string (before it is hashed), should look like this:

[api_key]-POST-digital-issue-[client_request_id]-amazon-[utc_timestamp]

Put your api_key, client_request_id, and the utc_timestamp into your string. If you're using a different brand, you will also need to replace the brand identifier.

Next, hash the signature string using your Secret:

19694a0866b20938698e490d4ecd6f429e8e781d912451362e7a1ec174c6f59e

Request Headers ​

Your request headers should look like this:

Content-Type: "application/json"
Accept: "application/json"
API-Key: YOUR_API_KEY
Signature: YOUR_HASHED_SIGNATURE
Timestamp: CURRENT_UTC_TIMESTAMP_IN_MILLISECONDS

Content-Type: "application/json"
Accept: "application/json"
API-Key: YOUR_API_KEY
Signature: YOUR_HASHED_SIGNATURE
Timestamp: CURRENT_UTC_TIMESTAMP_IN_MILLISECONDS