@meirr

Yes, you're right if you compare the signature from the working postman request (sXm4gi7c2TjkPf/JRKMFahJdvpnWZmf+lonI5ekAYDY=) and signature from the request you provided (uRI4YC4yRzIeznKmzJYFIYy6Dc8Ffhe4p8/azId6CNI=) it is different, this is definitely the reason for failure. I believe the HMAC signature formation is happening incorrectly in your python code.

kindly go through the code example mentioned on the developer portal under the downloads tab for your reference.

https://developers.thomsonreuters.com/customer-and-third-party-screening/world-check-one-api/downloads

Regards,

Mehran Khan

Hi @meirr ,

401 errors occur because the request has failed an authorization check. This can happen for a variety of reasons, such as

a) An invalid or expired API key,

b)An invalid HMAC signature.

c) Request timing issue/problem with the Date header value. The API client should ensure a correctly synchronized clock is used to generate request timestamps.

d)Incorrect JSON payload formation at the customer’s end that can cause them to observe 401 response.

From your request & response headers, I see that your response time is earlier than your request time, ensure that the date header value that you are sending is in sync with the NTP or the GMT clock for the API call to succeed.

API messages are validated by timestamps, to help guard against replay attacks. Messages are only considered valid if they are processed at the point in time corresponding to their Date request header. A small buffer is used in this calculation to allow for minor clock drifts, discrepancies between client and server clocks, and data transfer round trip times. It is advised that when integrating with the World-Check One API, the machines involved in API communication are properly time synchronised via NTP to help prevent any message validity issues.

thank you for your answer,

it seems like i tried everything and i still get 401.

im trying to check if a caseId exists

here is my headers:

{'Date': 'Mon, 04. Mar 2019 10:29:01 GMT', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="yzYrvNTKV5ldDhiOLw1+glELuTro9RUYXE+Dmz2JWP8='}

and here are the response headers:

{'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar 2019 10:29:02 GMT', 'Server': '""'}

@meirr

Can you provide me the complete request and response so that I can investigate this in detail?

Regards,

Mehran Khan

Below are the request & response

REQUEST:

Header: {'Date': 'Mon, 04. Mar 2019 10:37:56 GMT', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date",signature="dMdbcN7zXHvLaH+zuR5RmerfT8vUaSjwQUiqkCe/R5k="'}

Params: {“caseId”: "ae59c753-c6f3-4d02-97fd-64d6b9356944" }

URL: https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/caseIdentifiers

Method: HEAD

RESPONSE:

Headers: {'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar 2019 11:04:30 GMT', 'Server': '""'}

Response code:401

@meirr

The difference between the requested time and API clock time shouldn’t be >30 seconds. When it’s more than 30 seconds you get a 401. As you can see from your request and response the difference is almost 27 minutes that is the reason why you're seeing a 401, kindly ensure that that the date time value that you're sending is in sync with the NTP or the GMT clock for the API call to succeed.

Apologizes: My mistake here is the new transaction I just made

the difference between send & receive is 3 sec

REQUEST:

{'Date': 'Mon, 04. Mar 2019 11:41:46 GMT', 'Authorization': 'Signature keyId="2f392296-1ddc-4568-a73c-0d06acecdb15",algorithm="hmac-sha256",headers="(request-target) host date",signature="uRI4YC4yRzIeznKmzJYFIYy6Dc8Ffhe4p8/azId6CNI="'}

Params: {“caseId”: "ae59c753-c6f3-4d02-97fd-64d6b9356944" }

URL: https://rms-world-check-one-api-pilot.thomsonreuters.com/v1/caseIdentifiers

Method: HEAD

RESPONSE:

Headers: {'X-Application-Context': 'application', 'Authorization': 'WWW-Authenticate: Signature realm="World-Check One API",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length', 'Content-Length': '0', 'Date': 'Mon, 04 Mar 2019 11:41:49 GMT', 'Server': '""'}

Code: 401

@meirr

I tried replicating the issue using your keys i was able to successfully fire the API

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

HEAD /v1/caseIdentifiers Date: Mon, 04 Mar 2019 12:15:51 GMT Authorization: Signature keyId="2f392296-1ddc-4568-a73c-0d06ace*****",algorithm="hmac-sha256",headers="(request-target) host date",signature="bVsDWVeI2b2MuafRQapgTf0xKhKfw1x7t7LUTz8weqM=" cache-control: no-cache Postman-Token: ab3ab0d7-d895-4ac7-b0a2-0c89e22ec94f User-Agent: PostmanRuntime/7.6.0 Accept: */* Host: rms-world-check-one-api-pilot.thomsonreuters.com accept-encoding: gzip, deflate content-length:

HTTP/1.1 200 status: 200 X-Application-Context: application Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-XSS-Protection: 1; mode=block X-Frame-Options: DENY X-Content-Type-Options: nosniff Date: Mon, 04 Mar 2019 12:15:50 GMT Content-Length: 0 Server: ""

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I would suggest you to recheck the credentials being passed and also delete the existing postman collection and re import the same and try.

Let me know your findings.

Regards,

Mehran Khan

hi, postman is working on my side also, thats not the problem.

im having problems in my python app.

maybe do you have code examples for python or even php? the only problem that i can think about is incorrect signature..