External Authentication

External Authentication

APIs called from a third-party backend must be authenticated and authorized using a clientKey and clientSecret provided by Saladin. In certain scenarios where the API is called from the third party's client (e.g., mobile app or frontend), Saladin will issue a short-lived access token (approximately 10 minutes). This token allows the third-party client to securely access Saladin's APIs within a limited time frame.

Signature request

For API calls between a third-party backend and Saladin’s backend, Saladin requires a signature to identify which backend is making the request. This signature is generated by computing the SHA checksum of specific request data combined with an API secret provided to the third-party backend.

Header

How to generate the signature

Below is the pseudocode used to generate the signature:

POST request

// request body
body = {
    "<field_name>": <field_value>,
    "<field_name>": <field_value>,
    "<field_name>": <field_value>,
}

payload = timestamp + "." + client_key + "." + json_stringify(body)
secret = "<client_secret>"
encoded_payload = base64_safeurl_encode_no_padding(payload)
signature = HMAC_SHA256(secret, encoded_payload)

GET request

// request body
base_url = https://api.saladin.vn/vendor
location=Hà Nội
order_id=88062110977884170
path = /order?location=url_encode(location)&order_id=url_encode(88062110977884170)
// path == /order?location=H%C3%A0+N%E1%BB%99i&order_id=88062110977884170

payload = timestamp + "." + client_key + "." + path
secret = "<client_secret>"
encoded_payload = base64_safeurl_encode_no_padding(payload)
signature = HMAC_SHA256(secret, encoded_payload)

When generating the signature:

• Use only the path part of the URL (do not include the base URL).

• Ensure all query parameter values are properly URL-encoded following the rules defined in RFC1866 (HTML 2.0 Specification).