Home
API Reference
GuidesAPI Reference💬 Ask

Authentication

All API requests must be authenticated with a developer_key in the request. Your API keys carry many privileges, so be sure to keep them secret!

You authenticate to the Eko API by providing your API key in the header of each request.

How to generate developer_key?

Production developer key will be shared after the following is done:

  1. Organization's KYC is completed on Eko's platform (visit https://connect.eko.in)
  2. For UAT, a dummy developer_key can be used from platform credentials section

Security 2.0

To ensure that compromise on one of the authentication i.e your developer_key never leads to any fraud, another solution has been provided which requires clients to send 2 more parameters for each API call:

  1. secret-key
  2. secret-key-timestamp

Please make sure to regenerate both the secret key and secret key timestamp.

How to generate the secret-key?

  1. Encode key using base64 encoding technique.

  2. Generate current timestamp (in milliseconds since UNIX epoch), i.e. secret-key-timestamp (Check currentmillis.com to understand the timestamp format)

  3. Compute the signature by hashing salt and base64 encoded key using Hash-based message authentication code HMAC and SHA256

  4. Encode the signature using base64 encoding technique and use this as secret-key 

<?php

// Initializing key in some variable. You will receive this key from Eko via email
$key = "d2fe1d99-6298-4af2-8cc5-d97dcf46df30";

// Encode it using base64
$encodedKey = base64_encode($key);

// Get current timestamp in milliseconds since UNIX epoch as STRING
// Check out https://currentmillis.com to understand the timestamp format
$secret_key_timestamp = (int)(round(microtime(true) * 1000));

// Computes the signature by hashing the salt with the encoded key 
$signature = hash_hmac('SHA256', $secret_key_timestamp, $encodedKey, true);

// Encode it using base64
$secret_key = base64_encode($signature);

//Display
echo "secret-key: " . $secret_key. "\n";
echo "secret-key-timestamp: " . $secret_key_timestamp . "\n";

?>

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Date;

public class Main {
    public static final String HMAC_SHA256 = "HmacSHA256";

    public static void activateEKyc() {
        try {
            String secret_key = "";
            String secret_key_timestamp = "";
            String request_hash = "";

            // Initializing key

            
            String key = "d2fe1d99-6298-4af2-8cc5-d97dcf46df30";//uat auth key
            
            String encodedKey = Base64.getEncoder().encodeToString(key.getBytes(StandardCharsets.UTF_8));

            // Get secret_key_timestamp: current timestamp in milliseconds since UNIX epoch as STRING
            // Check out https://currentmillis.com to understand the timestamp format
            Date date = new Date();
            secret_key_timestamp = String.valueOf(date.getTime());

            // Computes the signature by hashing the salt with the encoded key
            Mac sha256_HMAC = Mac.getInstance(HMAC_SHA256);
            SecretKeySpec signature = new SecretKeySpec(encodedKey.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);

            sha256_HMAC.init(signature);

            // Encode it using base64 to get secret-key
            secret_key = Base64.getEncoder().encodeToString(sha256_HMAC.doFinal(secret_key_timestamp.getBytes(StandardCharsets.UTF_8)));

            
            String utility_acc_no = "831882579383";
            String amount = "100";
            String user_code = "34097002";
            String concatenatedString = secret_key_timestamp + utility_acc_no + amount+ user_code;
            byte[] hash = sha256_HMAC.doFinal(concatenatedString.getBytes(StandardCharsets.UTF_8));
            request_hash = Base64.getEncoder().encodeToString(hash);

            System.out.println("secret-key: " + secret_key);
            System.out.println("secret-key-timestamp: " + secret_key_timestamp);
            System.out.println("request_hash: " + request_hash);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void main(String[] args) {
        activateEKyc();
    }
}


using System;
using System.Text;
using System.Security.Cryptography;
 
public class SecretGenerator
{
    public string Generate_Secret(string unixTime)
    {
        // Initializing key in some variable. You will receive this key from Eko via email
        string key = "d2fe1d99-6298-4af2-8cc5-d97dcf46df30";
 
        // Encode it using base64
        string encodedKey = Convert.ToBase64String(Encoding.UTF8.GetBytes(key));
 
        // Get current timestamp in milliseconds since UNIX epoch as STRING
        // Check out https://currentmillis.com to understand the timestamp format
 
        // Computes the signature by hashing the salt with the encoded key
        byte[] encodedKeyBytes = Encoding.UTF8.GetBytes(encodedKey);
        byte[] timestampBytes = Encoding.UTF8.GetBytes(unixTime.ToString());
        byte[] signatureBytes;
 
        using (var hmac = new HMACSHA256(encodedKeyBytes))
        {
            signatureBytes = hmac.ComputeHash(timestampBytes);
        }
 
        // Encode it using base64
        string secretKey = Convert.ToBase64String(signatureBytes);
 
        // Display
        //Console.WriteLine("secret-key: " + secretKey);
        //Console.WriteLine("secret-key-timestamp: " + unixTime);
        return secretKey;
    }
}
 
public class Program
{
    public static void Main(string[] args)
    {
        SecretGenerator generator = new SecretGenerator();
        string unixTime = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds().ToString();
        string secret = generator.Generate_Secret(unixTime);
        Console.WriteLine("secret-key: " + secret);
        Console.WriteLine("secret-key-timestamp: " + unixTime);
    }
}

import base64
import hashlib
import hmac
import time

# Initializing key
key = "d2fe1d99-6298-4af2-8cc5-d97dcf46df30"

# Encode it using base64
encoded_key = base64.b64encode(key.encode()).decode()

# Get current timestamp in milliseconds since UNIX epoch as STRING
# Check out https://currentmillis.com to understand the timestamp format
secret_key_timestamp = int(round(time.time() * 1000))

# Computes the signature by hashing the salt with the encoded key
signature = hmac.new(encoded_key.encode(), str(secret_key_timestamp).encode(), hashlib.sha256).digest()

# Encode it using base64
secret_key = base64.b64encode(signature).decode()

# Display
print(f"secret-key: {secret_key}")
print(f"secret-key-timestamp: {secret_key_timestamp}")




// Initializing key in some variable. You will receive this key from Eko via email

let key = "d2fe1d99-6298-4af2-8cc5-d97dcf46df30";
 
// Encode it using base64

let encodedKey = Buffer.from(key).toString('base64');
 
// Get current timestamp in milliseconds since UNIX epoch

let secretKeyTimestamp = Date.now();
 
// Computes the signature by hashing the salt with the encoded key 

let hmac = require('crypto').createHmac('sha256', Buffer.from(encodedKey, 'base64'));

hmac.update(secretKeyTimestamp.toString());

let signature = hmac.digest('base64');
 
// Display

console.log("secret-key: " + signature);

console.log("secret-key-timestamp: " + secretKeyTimestamp);

❗️

Note:

The secret-key-timestamp must match with the current time.

📘

How will you get the key for generating secret-key & request-hash?

The key will be provided to you by Eko via email.

key for the Staging Environment

key = d2fe1d99-6298-4af2-8cc5-d97dcf46df30

❗️

Note

If you are using .NET, you should not send overly specific time stamps, due to differing interpretations of how extra time precision should be dropped. To avoid overly specific time stamps, manually construct dateTime objects with no more than millisecond precision.

❗️

Important Note :

Only IP which is in India will be whitelisted while going on the production mode. IP which is present outside India will not be whitelisted as per compliance