Authentication & Signing
Every UTMOS Open Platform endpoint requires an HMAC-SHA256 request signature. This page covers the credentials you need, how to compute the signature, and how to debug common errors.Credentials
The platform issues each integrator:API ID(public identifier)API Key(private secret used for signing)
How to obtain them: request via the platform operations team. Provide your integrator name, intended use cases, and the scopes you need.Keep your API Key strictly confidential. If it leaks, contact the platform immediately to rotate.
Relationship to Web Console Login
Open Platform API keys are only for server-side integration signing. They must not be placed in browsers, mobile local storage, or Web Console page state. Web Console uses a separate human-user auth model with server-set httpOnly session cookies and CSRF tokens for browser mutations. Console users may create, rotate, or disable Open Platform API credentials when their role and approval policy allow it. New secrets are disclosed exactly once; the platform does not store them in later Console pages, JavaScript-readable cookies, localStorage, or sessionStorage.| Scenario | Identity |
|---|---|
Server calls /api/v1/open/* or /api/v1/platform/* | X-Api-Id + HMAC signature |
Browser uses /console or /api/v1/console/* | Console user session cookie + CSRF |
| Create or rotate an Open Platform API key | Console approval flow or HMAC Platform Management API |
| Browser triggers device commands | Do not use an API key directly; a backend integration service should sign |
Required Headers
| Header | Required | Description |
|---|---|---|
X-Api-Id | yes | Application identifier |
X-Api-Timestamp | yes | Unix-seconds timestamp (string) |
X-Api-Nonce | yes | Replay-protection nonce; unique per API ID within the replay window |
X-Api-Signature | yes | HMAC-SHA256 signature, lowercase hex, exactly 64 chars |
X-Request-Id | no | Request correlation ID; generated by the platform when omitted |
Signature Computation
Canonical String
A fixed 8-line layout joined by\n:
UTMOS-HMAC-SHA256METHOD(uppercase)PATH(path only — no query, no host)- Query string encoded with RFC 3986 rules and sorted by key (empty string when no query)
SHA256_HEX(BODY)(hash the empty byte string when no body — yieldse3b0c44...)- The raw
X-Api-Idvalue - The raw
X-Api-Timestampvalue - The raw
X-Api-Noncevalue
POST /api/v1/open/downlink/commands):
Compute the Signature
Use the API Key as the HMAC-SHA256 secret over the canonical string and emit lowercase hex.Timestamp Skew Window
X-Api-Timestamp may differ from the server clock by the credential-configured skew window, defaulting to ±5 minutes. Outside that returns TIMESTAMP_EXPIRED.
Keep your local clock in sync (NTP). If your system spans time zones, remember the value is Unix seconds — time-zone independent.
Nonce Replay Protection
X-Api-Nonce must be unique within the replay window for the current API ID. The platform records nonce usage facts; reuse returns NONCE_REPLAYED. Generate a new nonce for every request, even when the request body and idempotency key are intentionally replayed.
Secret Storage
The platform does not store plaintext API keys. Credential records store tenant binding, status, expiry, rotation timestamps, and signing-secret ciphertext protected with AES-256-GCM. The ciphertext envelope contains key ID, nonce, and ciphertext; decryption occurs only at the signature-verification boundary. Casbin stores authorization policy only and never stores credential material.API Key Rotation
The platform rotates API keys through the credential update endpoint. After a successful rotation, the response returns the new secret exactly once and the platform does not expose the old secret again.- Call the credential update/rotate endpoint with
rotate_secret=true. - Store the one-time
secretreturned in the response. - Recompute signatures with the new secret.
- The old secret becomes invalid immediately after rotation.
Troubleshooting
| Symptom | Likely cause |
|---|---|
UNAUTHORIZED | One of X-Api-Id / X-Api-Timestamp / X-Api-Nonce / X-Api-Signature is missing |
SIGNATURE_INVALID | Wrong API Key; canonical string assembled incorrectly (sort the query, hash even an empty body); proxy mutated the body (compression, line-ending changes, etc.) |
TIMESTAMP_EXPIRED | Local clock drift; you sent milliseconds; you sent an ISO string |
NONCE_REPLAYED | Nonce was reused within the replay window |
FORBIDDEN | API Key lacks tenant-domain authorization for this endpoint (see Scope Catalog) |