Authentication

Authenticating requests

The Brevix API uses OAuth 2.0 and HMAC for secure API access. This flow enables your application to act on behalf of users:

• Register Your App — In Brevix’s API Settings, register a new application to receive apikey, client_id and client_secret.
• To authenticate requests, include a X-SIGNATURE, X-API-KEY and X-TIMESTAMP header with the value "{YOUR_CLIENT_KEY}".
• To get your HMAC auth, follow these steps : -
  • You can retrieve your token by visiting your dashboard and clicking Generate API token.
  • HMAC (signature) authentication
    To sign requests using HMAC, follow these steps:-

        
    
            Algorithm: HMAC-SHA256
            Secret: your API secret (keep this private)
            String to sign: HTTP method + "\n" + request path + "\n" + timestamp + "\n" + body hash (or empty for no body)
            Headers: include Authorization: HMAC {API_KEY}:{SIGNATURE} and X-Timestamp: {TIMESTAMP}
        
    

    Examples: CURL example:

        
            curl -H "Authorization: HMAC {API_KEY}:{SIGNATURE}" \
            -H "X-Timestamp: {TIMESTAMP}" \
            -H "Content-Type: application/json" \
            -d `{"foo":"bar"}` \
            https://api.brevix.ly/v1/resource
        
    

    PHP example:

        
            $method = strtoupper($method);
            $path = "/v1/resource";
            $timestamp = time();
            $bodyHash = $body ? hash("sha256", $body) : "";
            $stringToSign = $method . `\n` . $path . `\n` . $timestamp . `\n` . $bodyHash;
            $signature = hash_hmac("sha256", $stringToSign, $secret);
            $authHeader = "Authorization: HMAC {$apiKey}:{$signature}";
        
    

    Python example:

        
    
            import time
            import hmac
            import hashlib
            method = method.upper()
            path = "/v1/resource"
            timestamp = str(int(time.time()))
            body_hash = hashlib.sha256(body.encode()).hexdigest() if body else ""
            string_to_sign = method + "\n" + path + "\n" + timestamp + "\n" + body_hash
            signature = hmac.new(secret.encode(), string_to_sign.encode(), hashlib.sha256).hexdigest()
            auth_header = "Authorization: HMAC {api_key}:{signature}"
        
    

    JavaScript example:

        
    
            const crypto = require("crypto");
            const method = method.toUpperCase();
            const path = "/v1/resource";
            const timestamp = Math.floor(Date.now() / 1000).toString();
            const bodyHash = body ? crypto.createHash("sha256").update(body).digest("hex") : "";
            const stringToSign = `${method}\n${path}\n${timestamp}\n${bodyHash}`;
            const signature = crypto.createHmac("sha256", secret).update(stringToSign).digest("hex");
            const authHeader = `Authorization: HMAC ${apiKey}:${signature}`;