Authentication

Every request to the Partner API must be authenticated using HMAC-SHA256 request signing. This ensures that requests are both authentic and have not been tampered with in transit.

Required Headers

Signature Construction

The signature is computed by building a dot-separated message string and signing it with your API key secret:

message = "{timestamp}.{nonce}.{method}.{path}.{body}"
signature = HMAC-SHA256(apiKeySecret, message).hexDigest()

The message components, joined with dots (.):

1. timestamp — Unix timestamp in seconds (same value as X-Timestamp header)
2. nonce — The same value sent in the X-Nonce header
3. method — The HTTP method in uppercase (e.g., GET, POST)
4. path — The full request path (e.g., /v2/partners/products/tickets)
5. body — The raw JSON request body string. For GET requests with no body, use an empty string ""

The resulting HMAC digest must be encoded as lowercase hex.

Examples

API_KEY="your-api-key"
API_SECRET="your-api-secret"
TIMESTAMP=$(date +%s)
NONCE=$(uuidgen | tr '[:upper:]' '[:lower:]')
METHOD="GET"
REQ_PATH="/v2/partners/products/tickets"
BODY=""

MESSAGE="${TIMESTAMP}.${NONCE}.${METHOD}.${REQ_PATH}.${BODY}"

SIGNATURE=$(echo -n "${MESSAGE}" | \
  openssl dgst -sha256 -hmac "${API_SECRET}" | \
  awk '{print $2}')

curl -X GET "https://api.vignetim.com${REQ_PATH}" \
  -H "Content-Type: application/json" \
  -H "X-API-Key: ${API_KEY}" \
  -H "X-Timestamp: ${TIMESTAMP}" \
  -H "X-Nonce: ${NONCE}" \
  -H "X-Signature: ${SIGNATURE}"

Important Notes

• The X-Timestamp must be within 5 minutes (300 seconds) of the server time. Requests with stale timestamps will be rejected with a 401 error.
• Each X-Nonce value must be unique and can only be used once. Reusing a nonce will result in a 401 error.
• Always use the raw, unformatted JSON body string for signature computation. Do not pretty-print or re-serialize the body before signing.
• The signature must be lowercase hex-encoded. Do not use base64.