# Authentication To use EBP APIs, every request must include headers for authentication and integrity verification. ## 1. Access Key The following header must be included in all EBP API calls. | Header Name | Description | Remarks | | :--- | :--- | :--- | | `X-Access-Key` | Store and channel-specific authentication key issued by EBP | Required for all requests | The `X-Access-Key` is used to verify access permissions to the EBP system. It is uniquely issued per store and channel, and should be managed securely to prevent exposure. > [!CAUTION] **Validity and Renewal** > The `X-Access-Key` is valid for **one year** from the date of initial issuance. A renewal process must be completed before the expiration date, as API calls cannot be made with an expired key. ## 2. Signature The `X-EBP-Signature` header must be included to ensure the integrity of all API requests. This value is generated using the SHA-256 algorithm. ### Generation Rules (Input Rules) 1. Construct Input Message: - GET: The full Query String (including the leading `?`). e.g., `?countryCode=UK&storeId=123` - POST: The raw Request Body (exactly as transmitted, including whitespace, newlines, and key order). e.g., `{"userNo":123,"items":["p1"]}` 2. Concatenation: `Input Message + Hash Key` - The Hash Key is issued by EBP and managed per store. 3. Hashing: Hash the concatenated string using the SHA-256 algorithm. (UTF-8 encoding is recommended) 4. Encoding: Convert the hashing result (32 bytes) into a Hex-encoded string and set it as the header value. ### Generation Example [tabs] [tab:Java] ```java import org.apache.commons.codec.digest.DigestUtils; /** * Generate signature using Apache Commons Codec library * @param message GET: Query String(starts with '?') / POST: JSON Body * @param hashKey Hash Key issued by EBP */ public String generateSignature(String message, String hashKey) { return DigestUtils.sha256Hex(message + hashKey); } ``` [tab:Node.js] ```javascript const crypto = require('crypto'); /** * Generate signature using Node.js built-in crypto module */ function generateSignature(message, hashKey) { return crypto .createHash('sha256') .update(message + hashKey) .digest('hex'); } ``` [tab:JavaScript(Browser)] ```javascript /** * Generate signature asynchronously using Browser Web Crypto API */ async function generateSignature(message, hashKey) { const encoder = new TextEncoder(); const data = encoder.encode(message + hashKey); const hashBuffer = await crypto.subtle.digest('SHA-256', data); // Convert ArrayBuffer to Hex string return Array.from(new Uint8Array(hashBuffer)) .map(b => b.toString(16).padStart(2, '0')) .join(''); } ``` > [!WARNING] **Security Notice** > Generating signatures in browser-side (client-side) JavaScript carries a high risk of **exposing your Hash Key** in the source code. For security reasons, **always generate signatures on the server side (Java, Node.js, etc.)** in actual production environments. [tab:Postman(Pre-request)] ```javascript // 1. Setup: Hash Key issued by EBP (Environmental or Collection variable recommended) const hashKey = pm.variables.get('hashKey') || 'YOUR_HASH_KEY'; let message = ""; // 2. Construct message based on HTTP Method if (pm.request.method === 'GET') { // Extract entire Query String including '?' from URL const urlString = pm.request.url.toString(); const qIndex = urlString.indexOf('?'); message = qIndex !== -1 ? urlString.substring(qIndex) : ""; } else { // Use raw body with variables ({{...}}) substituted message = pm.variables.replaceIn(pm.request.body.raw || ""); } // 3. Generate SHA-256 hash and set header const signature = CryptoJS.SHA256(message + hashKey).toString(); pm.request.headers.upsert({ key: 'X-EBP-Signature', value: signature }); ``` [/tabs] --- **Inquiries:** [ebp-server@lge.com](mailto:ebp-server@lge.com)