AMX Authorization Header

The AMX Authorization Header is used to secure access to the Application Management API. It uses a per call token that is generated using the API ID and key that was provided. It hashes the contents and uses a NONCE for additional security.

The resulting header will be similar to the following:

amx 2f6e9850e69c4d98a096f90717e05fea:E9XhgYR8PBjEmt765YS/5GcD3OOnX0HzHvEHbtSRMlI=:7ed378c1967441bbafa469e1d88f7d18:1475264552

The following is an example in C#:

    class Program
        static void Main(string[] args)
            string requestString =
            string requestContent = "{ 'client_name'   : 'My Cool App 2', 'application_type' : 'native', 'client_type' : 'confidential', 'redirect_uris': ['http://localhost/callback','urn:ietf:wg:oauth:2.0:oob', '']}";
            string requestHttpMethod = "POST";
            string _appID = "2f6e9850e69c4d98a096f90717e05fea";
            string _apiKey = "pADfT6idcLKglD3ZccE4ixsAwZR5ePSvI6y5J3sn61M=";

            string requestUri = System.Web.HttpUtility.UrlEncode(requestString.ToLower());

            string requestContentBase64String = string.Empty;

            //Calculate UNIX time
            DateTime epochStart = new DateTime(1970, 01, 01, 0, 0, 0, 0, DateTimeKind.Utc);
            TimeSpan timeSpan = DateTime.UtcNow - epochStart;
            string requestTimeStamp = Convert.ToUInt64(timeSpan.TotalSeconds).ToString();

            //create random nonce for each request
            string nonce = Guid.NewGuid().ToString("N");

            // Hash the contents
            if (!string.IsNullOrEmpty(requestContent))
                byte[] content = Encoding.UTF8.GetBytes(requestContent);
                MD5 md5 = MD5.Create();
                //Hashing the request body, any change in request body will result in different hash, we'll incure message integrity
                byte[] requestContentHash = md5.ComputeHash(content);
                requestContentBase64String = Convert.ToBase64String(requestContentHash);

            //Creating the raw signature string
            string signatureRawData = String.Format("{0}{1}{2}{3}{4}{5}", _appID, requestHttpMethod, requestUri, requestTimeStamp, nonce, requestContentBase64String);

            var secretKeyByteArray = Convert.FromBase64String(_apiKey);

            byte[] signature = Encoding.UTF8.GetBytes(signatureRawData);

            using (HMACSHA256 hmac = new HMACSHA256(secretKeyByteArray))
                byte[] signatureBytes = hmac.ComputeHash(signature);
                string requestSignatureBase64String = Convert.ToBase64String(signatureBytes);
                //Setting the values in the Authorization header using custom scheme (amx)
                var authorizationHeader = "amx " + string.Format("{0}:{1}:{2}:{3}", _appID, requestSignatureBase64String, nonce, requestTimeStamp);

                Console.WriteLine("AuthorizationHeader " + authorizationHeader);
                Console.WriteLine("Press any key to continue");

The following is an example in JavaScript:

The following is an example in Java: