During current times of big cybercrimes and security hacks across the world, it is extremely important that your system is very secure. Especially, the industry that we work and the number of stakeholders like merchants, distributors, employees, etc involved, it is imperative for all DMT systems to be hack proof. As you scale your DMT business, your systems need to get more secure.
Current API Security System
Currently, we only ask for a static developer key for authentication and identification. We do communicate to our all API partners that their developer key is confidential and should not be shared with anyone. And only “developer_key” is not enough to secure the API call. There is a still some chance of a man in the middle attack. If the developer key gets compromised then anyone can misuse your credentials to do transactions. These security compromises can be catastrophic in remittance businesses. We have seen 2-3 such security compromises every 6 months for our API partners. Eko identifies these risks and has come with an improved API security system.
We have introduced two new parameters in our API ecosystem which will improve the API security
The above 2 parameters need to be passed in each API call and should be passed in the request header like developer_key.
How to generate the secret key?
Steps to generate the secret-key and secret-key-timestamp
- Encode key using base64 encoding technique
- Generate current date in milliseconds which will work as salt i.e. secret-key-timestamp
- Compute the signature by hashing salt and base64 encoded key using Hash-based message authentication code HMAC and SHA256
- Encode the signature using base64 encoding technique and use this as secret-key