Categories

Bonsai icon
Introduction to Bonsai
app icon
Using the Bonsai App
features icon
Bonsai Features
Heroku icon
Heroku User Guide for Bonsai
guide icon
Language & Framework Guides
integrations icon
Integrations
Platform
Version support icon
Elasticsearch & OpenSearch Version Support
managing search resources icon
Managing your search resources
troubleshooting icon
Troubleshooting
API icon
API guide
FAQ icon
Bonsai FAQ
Security FAQ icon
Compliance & Security FAQ
Docs
>
Introduction to BonsaiUsing the Bonsai AppBonsai FeaturesHeroku User Guide for BonsaiLanguage & Framework GuidesIntegrationsPlatformElasticsearch & OpenSearch Version SupportManaging Your ResourcesTroubleshootingAPI GuideBonsai FAQCompliance & Security
>
Using HMAC Authentication

Using HMAC Authentication

The Bonsai API supports a hash-based message authentication code protocol for authenticating requests.
Last updated
June 13, 2023

Alpha Stage

The Bonsai API is currently in its Alpha release phase. It may not be feature-complete, and is subject to change without notice. If you have any questions about the roadmap of the API, please reach out to support.

HMAC

The Bonsai API supports a hash-based message authentication code protocol for authenticating requests. This scheme allows the API to simultaneously verify both the integrity and the authenticity of a user’s request.

This authentication protocol requires that all API requests include three HTTP headers:

  • X-BonsaiApi-Time. The current Unix time – seconds since epoch. This value helps to guarantee uniqueness over time, and must be within one minute of our server time to prevent replay attacks.
  • X-BonsaiApi-Key. The API token’s key, as generated within the Bonsai application. This key will also have a corresponding secret.
  • X-BonsaiApi-Hmac. The hexadecimal HMAC-SHA1 digest of your shared secret and the concatenation of the above time and public key.

For example, in Ruby, the X-BonsaiApi-Auth header can be computed as: OpenSSL::HMAC.hexdigest('sha1', token_secret, "#{time}#{token_key}"), where the token_secret is the API key’s secret.

View code snippet
Close code snippet
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept

One More Cloud

The search experts. Makers of Bonsai and Websolr.

Subscribe for product updates:

Elasticsearch is a trademark of Elasticsearch BV. Apache and Apache Lucene are trademarks of the Apache Software Foundation.

Status

|

FAQ

|

Terms

|

Privacy

Resources

Search AssessmentHeroku AddonPricingDocsBlogAnnouncementsCareersContact

Platform

Elasticsearch on Google CloudElasticsearch on AWSOpenSearch on Google CloudOpenSearch on AWS

ES/OS-as-a-Service

Managed ElasticsearchManaged OpenSearch

© One More Cloud, Inc. All Rights Reserved