Authorization

FOMO use RSA-SHA256 (a.k.a. SHA256WithRSA) to allow customers like you to sign requests sent to FOMO API gateway. With RSA-SHA256, even FOMO cannot create API requests on your behalf as only the private key holder can sign and authorize the request.

You will need to provide FOMO a public key in order to use our API service. After onboarding, you will be provided a CustomerID which will be used for authorization.

Key generation

In order to sign your request with RSA-SHA256. You will need a pair of RSA keys. Please share with FOMO only the public key in PEM encoding in PKCS#8 format (labeled with PUBLIC KEY) or PKCS#1 format (labeled with RSA PUBLIC KEY).

To generate an RSA key pair, you may refer to the following command:

At this time you should have the key pair (key.pem and pub.pem). Please share only the pub.pem with FOMO and keep the key.pem (your signing key) secure at all times. Since the public key pub.pem can be derived from key.pem, you do not need to store the pub.pem after it has been shared with FOMO. You will only need key.pem in the following signing process.

Request signing

1. Prepare request

Add the following headers to your request, replace the current header if one already exists:

Header name	Header value
`host`	Host of the request URL
`content-type`	Content-Type of the request payload (if exists)
`x-fomo-date`	`Timestamp` (see below)
`x-fomo-nonce`	`CryptographicNonce` (see below)
`x-fomo-content-sha256`	`HashedPayload` (see below)
`x-fomo-api-version`	API version you are using (please refer to the API endpoint)

AuthorizationType

Fixed value FOMO1-RSA-SHA256

FOMO1-RSA-SHA256

Credential

Your CustomerID

725040eb-ed2c-4926-967c-39c8769eb622

Timestamp

Current time in RFC-3339 Zulu format. Only milliseconds can be omitted.

2025-02-24T07:09:57.589Z

CryptographicNonce

Cryptographic nonce. 16-256 hexadecimal characters.

421ae34f7c4ca51050253fd22ac2b23e

HashedPayload

Hexadecimal value of SHA256-HASH of the request payload. If there is no payload, compute the hash of an empty string.

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

2. Calculate request parts

HttpVerb

The HTTP method (in uppercase)

GET

CanonicalURI

URI-encoded version of the absolute path of the URI - everything starting with "/" that follows the domain name and up to the end of URI string or to the question mark "?" if query string presents.

/v1/transactions

CanonicalQueryString

URI-encoded query string (percent-encodes every character except alphanumerics and "-", "_", ".", "~"). Names and values should be encoded separately. The encoded parametres must be sorted alphabetically by key name. Sorting should be done after encoding.

balance_id=2b09efb6-f7b7-4739-96dc-5536ea6444f3

CanonicalHeaders

A list of request header name and value pairs. Headers names must be in lowercase and header value must be trimmed. Each header name and value pair is joined by ":" followed by a newline "\n" (ASCII 10 or 0x0A). The list should be sorted alphabetically by header name.

CanonicalHeaders =

Name1 + ":" + Value1 + "\n" +

Name2 + ":" + Value2 + "\n" +

... +

NameN + ":" + ValueN + "\n"

💡

The following headers must be included (other headers are optional):

host header

content-type header (if exists)

All headers with name starts with x-fomo-

content-type:application/json
host:uat.fomoapis.com
x-fomo-api-version:v20250212
x-fomo-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-fomo-date:2025-02-24T07:09:57.589Z
x-fomo-nonce:421ae34f7c4ca51050253fd22ac2b23e

SignedHeaders

A string of alphabetically sorted, semicolon separated list of lowercase header names. The headers in the list must be the same as headers included in CanonicalHeaders list.

content-type;host;x-fomo-api-version;x-fomo-content-sha256;x-fomo-date;x-fomo-nonce

3. Construct CanonicalRequest

CanonicalRequest=

HTTPVerb + "\n" +

CanonicalURI + "\n" +

CanonicalQueryString + "\n" +

CanonicalHeaders + "\n" +

SignedHeaders + "\n" +

HashedPayload

GET
/v1/transactions
balance_id=2b09efb6-f7b7-4739-96dc-5536ea6444f3
content-type:application/json
host:uat.fomoapis.com
x-fomo-api-version:v20250212
x-fomo-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-fomo-date:2025-02-24T07:09:57.589Z
x-fomo-nonce:421ae34f7c4ca51050253fd22ac2b23e

content-type;host;x-fomo-api-version;x-fomo-content-sha256;x-fomo-date;x-fomo-nonce
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

4. Prepare StringToSign for signing

StringToSign =

AuthorizationType + "\n" +

Timestamp + "\n" +

CryptographicNonce + "\n" +

HEX(SHA256-HASH(CanonicalRequest))

FOMO1-RSA-SHA256
2025-02-24T07:09:57.589Z
421ae34f7c4ca51050253fd22ac2b23e
d42e6ee9afa2b9400efaeb8afac7b99da3873da8be434b2667193ca0381d2909

5. Sign using private key

Signature = HEX(RSA-SHA256-SIGN(StringToSign, key.pem))

57fcc54c1ebe87c40dc329dc10...f4cfd2e162415bdb

6. Add authorization header to request

Add the following headers to your request, replace the current header if one already exists:

Header name	Header value
`authorization`	`Authorization` (see below)

Authorization

Authorization=

AuthorizationType + " " +

"Credential=" + Credential + "," +

"SignedHeaders=" + SignedHeaders + "," +

"Signature=" + Signature

FOMO1-RSA-SHA256 Credential=725040eb-ed2c-4926-967c-39c8769eb622,SignedHeaders=content-type;host;x-fomo-api-version;x-fomo-content-sha256;x-fomo-date;x-fomo-nonce,Signature=57fcc54c1ebe87c40dc329dc1019...cfd2e162415bdb

Key rotation

Before key rotation, you may first provide us your new public key. By injecting the new key, both new key and exist key will work in the mean time so that you can swap your keys without any downtime. You may inform us to remove the existing key after your have successfully replaced the keys in your app.

Key generation#

Request signing#

1. Prepare request#

2. Calculate request parts#

3. Construct CanonicalRequest#

4. Prepare StringToSign for signing#

5. Sign using private key#

6. Add authorization header to request#

Key rotation#