# API Security

Before integration starts, Operator must request API credentials from Game Aggregator.

* **API Key** - A unique 64 characters alphanumeric string to identify the Operator.
* **API Secret** - A unique 64 characters alphanumeric string that is used to sign request body.

## Transport Layer Encryption

All communications between Operator and Game Aggregator must be secured through **HTTPS**.

This is to protect against man-in-the-middle attacks and eavesdropping.

## Authentication

All API calls from Operator to Game Aggregator must include **X-API-Key** and **X-Signature** in the header.

This is to allow the Game Aggregator system to verify the Operator's identity.

## X-Signature

This value provided in the request header is used to prevent data tampering.

The signature is generated using **HMAC-SHA256** algorithm.

#### Request Body:

```javascript
{
    "traceId": "f8c3de3d-1fea-4d7c-a8b0-29f63c4c3455",
    "username": "bob12345",
    "gameId": 1,
    "language": "zh",
    "platform": "web",
    "currency": "CNY"
}
```

#### API Secret:

```
813e9cb10f35c37a059c2761465781275ad641d3cb85436cdd17f08b0a6b50bf
```

{% tabs %}
{% tab title="Command Line" %}

<pre><code><strong>echo -n "{\"traceId\":\"f8c3de3d-1fea-4d7c-a8b0-29f63c4c3455\",\"username\":\"bob12345\",\"gameId\":1,\"language\":\"zh\",\"platform\":\"web\",\"currency\":\"CNY\"}" | openssl dgst -sha256 -hmac "813e9cb10f35c37a059c2761465781275ad641d3cb85436cdd17f08b0a6b50bf"
</strong></code></pre>

{% endtab %}
{% endtabs %}

#### Signature generated

```
d6b093eef96f5f2557589bd188f49d030eed994b69612fbaf3690b2b8b897362
```