Categories

Introduction to Bonsai
Using the Bonsai App
Bonsai Features
Heroku User Guide for Bonsai
Language & Framework Guides
Integrations
Platform
Elasticsearch & OpenSearch Version Support
Managing your search resources
Troubleshooting
API guide
Bonsai FAQ
Compliance & Security FAQ
Docs
>
Introduction to BonsaiUsing the Bonsai AppBonsai FeaturesHeroku User Guide for BonsaiLanguage & Framework GuidesIntegrationsPlatformElasticsearch & OpenSearch Version SupportManaging Your ResourcesTroubleshootingAPI GuideBonsai FAQCompliance & Security
>
Using HMAC Authentication

Using HMAC Authentication

The Bonsai API supports a hash-based message authentication code protocol for authenticating requests.
Last updated
June 13, 2023

Alpha Stage

The Bonsai API is currently in its Alpha release phase. It may not be feature-complete, and is subject to change without notice. If you have any questions about the roadmap of the API, please reach out to support.

HMAC

The Bonsai API supports a hash-based message authentication code protocol for authenticating requests. This scheme allows the API to simultaneously verify both the integrity and the authenticity of a user’s request.

This authentication protocol requires that all API requests include three HTTP headers:

  • X-BonsaiApi-Time. The current Unix time – seconds since epoch. This value helps to guarantee uniqueness over time, and must be within one minute of our server time to prevent replay attacks.
  • X-BonsaiApi-Key. The API token’s key, as generated within the Bonsai application. This key will also have a corresponding secret.
  • X-BonsaiApi-Hmac. The hexadecimal HMAC-SHA1 digest of your shared secret and the concatenation of the above time and public key.

For example, in Ruby, the X-BonsaiApi-Auth header can be computed as: OpenSSL::HMAC.hexdigest('sha1', token_secret, "#{time}#{token_key}"), where the token_secret is the API key’s secret.

View code snippet
Close code snippet

One More Cloud

The search experts. Makers of Bonsai and Websolr.

Subscribe for product updates:

Elasticsearch is a trademark of Elasticsearch BV. Apache and Apache Lucene are trademarks of the Apache Software Foundation.

Status

|

FAQ

|

Terms

|

Privacy

Resources

Search AssessmentHeroku AddonPricingDocsBlogAnnouncementsCareersContact

Platform

Elasticsearch on Google CloudElasticsearch on AWSOpenSearch on Google CloudOpenSearch on AWS

ES/OS-as-a-Service

Managed ElasticsearchManaged OpenSearch

© One More Cloud, Inc. All Rights Reserved