This page currently applies only to the Bango Resale for resellers
Bango requires HTTP message signing for Bango Resale calls. This stops unauthorized access to the Bango Platform, and ensures the data integrity of all your calls to Bango Resale.
Bango requires the reseller to provide a public key which will be used to verify all signed API requests made to Bango. The key must be RSA-SHA256 algorithm and be 1024 bit length. The public key must be provided as either a pem file or RSA key xml.
Bango makes use of the following sections from the signing HTTP messages IETF documentation: 2.1.1, 2.1.2, 2.1.3, 2.1.6 and 2.4.
Below is what the headers must look like for a signed request to the Bango Resale:
Constructing the request headers:
Created
The value must be a Unix timestamp integer value. Full details can be found here. The time difference between the timestamp and the current UTC time should be within 120 seconds.
Signature
A breakdown of the signature can be found in the below table. There must be a space after each comma in the signature. See the example in the section above. Full details can be found here.
| Detail | Value | Description |
|---|---|---|
| keyId | RSA-SHA256V1 | A constant string which refers to the RSA-SHA256 algorithm used to sign the request. |
| headers | Created | Refers to the header that is used as part of the signature string. The minimum expected by Bango is created however you can include more by using a semicolon to seperate them. E.g. headers=Created;EntitlementId |
| signature | Base64(RSA-SHA256(Signature String)) | Refers to the Base64 encoded string of the RSA-SHA256 algorithm applied over the Signature String. |
| Signature String | See example below. | This refers to the actual content that would be encoded. This contains the headers and the payload of the request. The payload must not contain carriage return, horizontal tab and new lines. |
Example Private Key
<RSAKeyValue><Modulus>21wEnTU+mcD2w0Lfo1Gv4rtcSWsQJQTNa6gio05AOkV/Er9w3Y13Ddo5wGtjJ19402S71HUeN0vbKILLJdRSES5MHSdJPSVrOqdrll/vLXxDxWs/U0UT1c8u6k/Ogx9hTtZxYwoeYqdhDblof3E75d9n2F0Zvf6iTb4cI7j6fMs=</Modulus><Exponent>AQAB</Exponent><P>/aULPE6jd5IkwtWXmReyMUhmI/nfwfkQSyl7tsg2PKdpcxk4mpPZUdEQhHQLvE84w2DhTyYkPHCtq/mMKE3MHw==</P><Q>3WV46X9Arg2l9cxb67KVlNVXyCqc/w+LWt/tbhLJvV2xCF/0rWKPsBJ9MC6cquaqNPxWWEav8RAVbmmGrJt51Q==</Q><DP>8TuZFgBMpBoQcGUoS2goB4st6aVq1FcG0hVgHhUI0GMAfYFNPmbDV3cY2IBt8Oj/uYJYhyhlaj5YTqmGTYbATQ==</DP><DQ>FIoVbZQgrAUYIHWVEYi/187zFd7eMct/Yi7kGBImJStMATrluDAspGkStCWe4zwDDmdam1XzfKnBUzz3AYxrAQ==</DQ><InverseQ>QPU3Tmt8nznSgYZ+5jUo9E0SfjiTu435ihANiHqqjasaUNvOHKumqzuBZ8NRtkUhS6dsOEb8A2ODvy7KswUxyA==</InverseQ><D>cgoRoAUpSVfHMdYXW9nA3dfX75dIamZnwPtFHq80ttagbIe4ToYYCcyUz5NElhiNQSESgS5uCgNWqWXt5PnPu4XmCXx6utco1UVH8HGLahzbAnSy6Cj3iUIQ7Gj+9gQ7PkC434HTtHazmxVgIR5l56ZjoQ8yGNCPZnsdYEmhJWk=</D></RSAKeyValue>Constructing the signature string
The below example signature produced below was created using the private key provided above with the payload set out below:
BASE64(SHA256(created + payload from request))
Example:
signature = BASE64 (SHA-256(
1576595412
{
"customerIdentifier": "my-user-123456789",
"merchantAccountKey": "BANGO",
"productKey": "BangoMusic",
"notificationUrl": "https://example.com/entitlement/notification"
}
))
//The combination of the created header value and payload from the request would create the following signature.
YQi9uNAkqXFMigidHijmM9Z8ahVq8B0LM2rHXJruIocR8ujk0sonSLq6LuMMEWRfnpUmmsqzuulpNiQoeRfLFxVKoamTeKPGisJpdw6fREPJeHmz2nGoA7/vQ2YFKDUpUtByE8ZUjdrbHTf/0kPvyPIuuRT6uJaFEBwX+XJRC+8=
If the Bango Resale responds with HTTP 401 UNAUTHORIZED, this may mean your request has failed due to a message signing issue.
Below is a list of the http status code 401 response messages: