Bango uses cookies to give you the best website experience. By using this website you agree to let Bango use cookies. More info
Bango Developer
  1. Bango Platform
  2. Connectivity and security

Signing HTTP Messages

Bango requires HTTP message signing for Bango Resale API calls. This stops unauthorized access to the Bango Platform, and ensures the data integrity of all your calls to Bango Resale.

Bango requires the reseller to provide a public key which will be used to verify all signed API requests made to Bango. The key must be RSA-SHA256 algorithm and be 1024 bit length. The public key must be provided as either a pem file or RSA key xml.

Bango makes use of the following sections from the signing HTTP messages IETF documentation: 2.1.1, 2.1.2, 2.1.3, 2.1.6 and 2.4.

Below is what the headers must look like for a signed request to the Bango Resale API:

  • Created: 1402174295
  • Signature: keyId=RSA-SHA256V1, headers=Created, signature=Base64(RSA-SHA256(Signature String))

Constructing the request headers:


The value must be a Unix timestamp integer value. Full details can be found here. The time difference between the timestamp and the current UTC time should be within 120 seconds.


A breakdown of the signature can be found in the below table. There must be a space after each comma in the signature. See the example in the section above. Full details can be found here.

keyIdRSA-SHA256V1A constant string which refers to the RSA-SHA256 algorithm used to sign the request.
headersCreatedRefers to the header that is used as part of the signature string. The minimum expected by Bango is created however you can include more by using a semicolon to seperate them. E.g. headers=Created;EntitlementId
signatureBase64(RSA-SHA256(Signature String))Refers to the Base64 encoded string of the RSA-SHA256 algorithm applied over the Signature String.
Signature StringSee example below.This refers to the actual content that would be encoded. This contains the headers and the payload of the request. The payload must not contain carriage return, horizontal tab and new lines.

Example Private Key


Constructing the signature string

The below example signature produced below was created using the private key provided above with the payload set out below:

BASE64(SHA256(created + payload from request))

signature = BASE64 (SHA-256(
        "customerIdentifier": "my-user-123456789",
        "merchantAccountKey": "BANGO",
        "productKey": "BangoMusic",
        "notificationUrl": ""

//The combination of the created header value and payload from the request would create the following signature.

If the Bango Resale API responds with HTTP 401 UNAUTHORIZED, this may mean your request has failed due to a message signing issue.
Below is a list of the http status code 401 response messages:

  • "No valid key found." - A valid public key could not be found for the reseller. Either a public key isn't set or the public key set has expired.
  • "Signature or header content is missing." - A header defined as provided in the signature is missing from the request.
  • "Signature is invalid." - The signature value in the request to Bango doesn't match the signature Bango has generated with the public key.

Copyright © 2000–2020 Limited