How to configure worldcheck one api in 3rd party application?

Options
joseph.pambi
joseph.pambi Newcomer
in World-Check One

We were tried to configure and test worldcheck one api in https://apitester.com and we passed api-key and api-secret thorough headers. But we are continuously receiving unauthorised message. Could you please help us to configure this portal.

We are trying to request:

SEQ-pre-groups: Get my top-level groups

Tagged:

Best Answer

  • Irfan.Khan
    Irfan.Khan LSEG
    Answer ✓

    @joseph.pambi

    Please find the JS script to generate HMAC script below:

    function generateAuthHeader(dataToSign){
        var hash = CryptoJS.HmacSHA256(dataToSign, "{{client-api-secret}}");
        return hash.toString(CryptoJS.enc.Base64); 
    }
    var date = new Date().toGMTString();
    var dataToSign = "(request-target): get " + "/v1/" + "groups\n" +
            "host: " + "rms-world-check-one-api-pilot.thomsonreuters.com" + "\n" +
            "date: " + date;
    var hmac = generateAuthHeader(dataToSign);

    After this you have to feed the HMAC to the below auth header which is sent in the request.

    var authorisation = "Signature keyId=\"" + "{{client-api-key}}" + "\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date\",signature=\"" + hmac + "\"";

    Kindly note if you are using API tester, then you have to select the "JavaScript" drop down and write the above code in the format that I have written it in the link below:

    https://apitester.com/shared/checks/63ebd758fc504a558151505adf5990ac

    Then select "request" from the dropdown and enter the URL and select the correct method.

    Use the add request header to add two headers in the request. The value for both headers should be pulled from the JS step added to the request and called using the below syntax.

    For example: If the authorization header value is stored in custom variable- custom.auth, then value should be {{custom.auth}}. If the date header value is stored in custom variable - custom.date, then the value should be {{custom.date}}

    1. Authorization: {{custom.auth}}

    2. Date: {{custom.date}}

    If you are still unable to follow the instructions, we can get into a quick call to explain this. However, I still recommend Postman to test your API calls.

Answers

  • Irfan.Khan
    Irfan.Khan LSEG

    @joseph.pambi

    Can you please provide me the "Test Config link" of the failed API from the api tester so that I can look into this.

    Also, kindly send us the authorization headers send using the api tester.

    Kindly note that in order for the request to succeed, the HTTP client should generate the correct HMAC, time stamp and the authorization header.

  • joseph.pambi
    joseph.pambi Newcomer
    irfan.Khan we tried using this following website:

    https://apitester.com and we passed api-key and api-secret. But are not sure how to generate authorisation header and what are the other headers we need to pass inorder to get result. It will be helpful if you provide solution ASAP.

    test config link:

    https://apitester.com/shared/checks/87c4b06a29c64fee90e05b9049ddc51d

  • Irfan.Khan
    Irfan.Khan LSEG

    @joseph.pambi

    I just checked the "Test config link" and see that you are not using any java script steps in your request.

    Kindly note you have to use the java script steps to generate variables like current date, dataToSign variable and HMAC which will in turn be used to generate the authorization header. You have to send this auth header as request header along with the current date (in GMT) to the WC1 API URL to connect successfully.

    I cannot ue

    I have gone through the API tester documentation and do not see any way to pass HMAC variable to the request. An ideal way to use it is given in the link below:

    But as you can see my test is failing on step 3, as it is unable to generate the HMAC using java script. So I am not sure whether API tester is capable of generating Base 64 HMACs.

    https://apitester.com/shared/checks/63ebd758fc504a558151505adf5990ac

    But the above link will give you a fair idea of how to send requests using API tester.

    If you are using this for just testing, I would recommend to use the HTTP client-native Postman app to test the WC1 APIs. This is quite light weight and less time consuming.

    You can import the postman collection (downloadable from the download section of the developer community) to Postman app to test your requests. We recommend this as Postman collection already has the pre request script that generates the HMAC and feeds it in the authorization header.

    Please find the link to download postman collection below:

    https://developers.thomsonreuters.com/customer-and-third-party-screening/world-check-one-api/downloads

    Please find the link to our quick guide section that will guide you how to use Postman for making successful requests.

    https://developers.thomsonreuters.com/customer-and-third-party-screening/world-check-one-api/quick-start

    Please refer the "security.html" file in the API documentation for more details. Kindly go through the documentation to understand how the requests should be sent to succeed. All requests should be HMAC BASE64 encoded and has to be in a certain format in the authorization before they are sent to the API.

  • Irfan.Khan
    Irfan.Khan LSEG

    @joseph.pambi

    Following up to know if you need further assistance on this.

    Thanks.

Categories