Authentication

Every request to our API needs to be authenticated and signed with a Hashed Message Authentication Code (HMAC) Signature.

API Keys

First of all you need to generate your API Keys in the Seller Office. They consist on a Client Key and Client Secret. Please, write them down once they are generated as the Client Secret can’t be seen afterwards.

Headers

Each request must contain the following four headers:

Header Explanation
Accept Accept header set to application/json.
X-Client-Id This is the value of the Client Key.
X-Timestamp Set X-Timestamp with the current Unix Timestamp in seconds and must be current at the time the request is made. There is a 10-minute window around the current time to account for clock skew. In other words, timestamp can be up to 5 minutes earlier or 5 minutes later than the current server time. If the timestamp is more than 5 minutes different from the current server time when the request is received, the request will be rejected.
X-Signature It contains an HMAC signature of the request. The HMAC is specific to each request, so it must be regenerated for each request.

How to sign a request?

Each request must be signed by a SHA-256 HMAC in base64 encoding. This HMAC is generated by concatenating the request information together, separated by newline characters, and generating a SHA-256 HMAC from the resulting string and the Client Secret (Key). Here is an implementation of the HMAC generation function in PHP:

function signRequest($method, $uri, $body, $timestamp, $secretKey)
{
    $string = implode("\n", [
        $method,
        $uri,
        $body,
        $timestamp,
    ]);
 
    return hash_hmac('sha256', $string, $secretKey);
}

The required values in the signature string are:

  • $method- The HTTP method of the request, uppercased (e.g. GET, POST, PATCH, DELETE).
  • $uri - The full URI of the request, including https:// and the full domain name (e.g. https://app-seller-pim.prod.de.metro-marketplace.cloud/openapi/v1/categories).
  • $body - The body of the request. If the request doens´t have a body, you should use an empty string.
  • $timestamp - The value of the current Unix timestamp at the time of the request. This must be the same as the value of the X-Timestamp header.
  • $secretKey - Client Secret Key which you have generated in the Seller Office.

The PHP function hash_hmac() produces an HMAC using SHA-256 as the cryptographic hash function. For example, you could generate an HMAC for the following values (in PHP):

$method = "GET";
$uri = "https://service-category.sandbox.infra.metro-markets.cloud/public/api/v1/DE/categories";
$body = "";
$timestamp = 1612137600;
$secretKey = "856216c8abc2b154645613f456123aab";

The X-Signature generated by these values is 8844a35f5d2a4f57acbddf12ae3ed25973d73c2d2ec1d93c30a4fe1baddf569f

Example of how the headers would look like in the HTTP Request above:

GET  /public/api/v1/DE/categories HTTP/1.1
Host: service-category.sandbox.infra.metro-markets.cloud
Accept: application/json
X-Client-Id: bc456123-4561-1d56-4def-456b30abc123
X-Timestamp: 1612137600
X-Signature: 8844a35f5d2a4f57acbddf12ae3ed25973d73c2d2ec1d93c30a4fe1baddf569f

Here you can see a full example using PHP:

<?php
function signRequest($method, $uri, $body, $timestamp, $secretKey)
{
    $hash = implode("\n", [$method, $uri, $body, $timestamp]);
    return hash_hmac('sha256', $hash, $secretKey);
}
$url = "https://service-category.sandbox.infra.metro-markets.cloud/public/api/v1/DE/categories";
$curl = curl_init($url);
$method = "GET";
$clientKey = "";
$clientSecret = "";
$unixTime = time();
$signature = signRequest($method, $url, "", $unixTime, $clientSecret);
curl_setopt($curl, CURLOPT_HTTPHEADER, [
    "X-Client-Id: $clientKey",
    "X-Timestamp: $unixTime",
    "X-Signature: $signature",
    "Accept: application/json"
]);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($curl);
curl_close($curl);
$json = json_decode($response, true);
print_r($json); 
										

You can find an example with Javascript in the Postman section.