Authentication #
To use EBP APIs, every request must include headers for authentication and integrity verification.
1. Access Key #
The following header must be included in all EBP API calls.
| Header Name | Description | Remarks |
|---|---|---|
X-Access-Key | Store and channel-specific authentication key issued by EBP | Required for all requests |
The X-Access-Key is used to verify access permissions to the EBP system. It is uniquely issued per store and channel, and should be managed securely to prevent exposure.
[!CAUTION] Validity and Renewal
TheX-Access-Keyis valid for one year from the date of initial issuance. A renewal process must be completed before the expiration date, as API calls cannot be made with an expired key.
2. Signature #
The X-EBP-Signature header must be included to ensure the integrity of all API requests. This value is generated using the SHA-256 algorithm.
Generation Rules (Input Rules) #
- Construct Input Message:
- GET: The full Query String (including the leading
?). e.g.,?countryCode=UK&storeId=123 - POST: The raw Request Body (exactly as transmitted, including whitespace, newlines, and key order). e.g.,
{"userNo":123,"items":["p1"]}
- GET: The full Query String (including the leading
- Concatenation:
Input Message + Hash Key- The Hash Key is issued by EBP and managed per store.
- Hashing: Hash the concatenated string using the SHA-256 algorithm. (UTF-8 encoding is recommended)
- Encoding: Convert the hashing result (32 bytes) into a Hex-encoded string and set it as the header value.
Generation Example #
import org.apache.commons.codec.digest.DigestUtils;
/**
* Generate signature using Apache Commons Codec library
* @param message GET: Query String(starts with '?') / POST: JSON Body
* @param hashKey Hash Key issued by EBP
*/
public String generateSignature(String message, String hashKey) {
return DigestUtils.sha256Hex(message + hashKey);
}
const crypto = require('crypto');
/**
* Generate signature using Node.js built-in crypto module
*/
function generateSignature(message, hashKey) {
return crypto
.createHash('sha256')
.update(message + hashKey)
.digest('hex');
}
/**
* Generate signature asynchronously using Browser Web Crypto API
*/
async function generateSignature(message, hashKey) {
const encoder = new TextEncoder();
const data = encoder.encode(message + hashKey);
const hashBuffer = await crypto.subtle.digest('SHA-256', data);
// Convert ArrayBuffer to Hex string
return Array.from(new Uint8Array(hashBuffer))
.map(b => b.toString(16).padStart(2, '0'))
.join('');
}
[!WARNING] Security Notice
Generating signatures in browser-side (client-side) JavaScript carries a high risk of exposing your Hash Key in the source code. For security reasons, always generate signatures on the server side (Java, Node.js, etc.) in actual production environments.
// 1. Setup: Hash Key issued by EBP (Environmental or Collection variable recommended)
const hashKey = pm.variables.get('hashKey') || 'YOUR_HASH_KEY';
let message = "";
// 2. Construct message based on HTTP Method
if (pm.request.method === 'GET') {
// Extract entire Query String including '?' from URL
const urlString = pm.request.url.toString();
const qIndex = urlString.indexOf('?');
message = qIndex !== -1 ? urlString.substring(qIndex) : "";
} else {
// Use raw body with variables ({{...}}) substituted
message = pm.variables.replaceIn(pm.request.body.raw || "");
}
// 3. Generate SHA-256 hash and set header
const signature = CryptoJS.SHA256(message + hashKey).toString();
pm.request.headers.upsert({
key: 'X-EBP-Signature',
value: signature
});
Inquiries: ebp-server@lge.com