CSML Studio
LanguageStudioGithub
Search…
Introduction
🦜
Getting started
Create Your First Bot
The Dashboard
AI & Natural Language Processing
Apps and Integrations
Livechat
Bot Configuration Options
💻
CSML Language Reference
🔌
Studio API
Getting Started
Authentication
Studio CLI
API Reference
📱
Channels
Introduction
Webapp
Messenger
Workplace Chat
Microsoft Teams
Google Chat
Whatsapp (with MessageBird)
Instagram
Telegram
SMS (with Twilio)
Slack
Callbots (with Twilio)
Amazon Alexa
Google Assistant
Upcoming channels
Powered By GitBook
Authentication

Authentication

All API calls are authenticated with the combination of two separate keys: API Key and API Secret.
The API Key is the public key and can be put in clear client-side. The API Secret should never be shared publicly.
To authenticate all your HTTP calls, you need to set the following headers: X-Api-Key and X-Api-Digest. The CSML Studio API uses HMAC authentication to ensure that all calls are properly signed with both the API Key and API Secret, while preventing man-in-the-middle attacks and replay attacks.
The X-Api-Signature process MUST NEVER be done on the client side, as this would give control to your bot to any person in control of your API Secret. Obviously, never share your API Secret with anyone in clear text.
In the X-Api-Key header, concatenate the API Key and the current unix timestamp (in seconds), separated by the | character. In the X-Api-Signature header, provide the hexadecimal sha-256 hash of the X-Api-Key header value, signed with your API Secret.
The CSML server will be able to validate that both the API Key and the API Secret used are valid, without requiring you to provide the API Secret in clear text. Replay attacks are prevented by invalidating all calls a few minutes after the timestamp provided in the X-Api-Key header.

Implementation examples

Javascript
Python
1
const crypto = require('crypto');
2
3
const UNIX_TIMESTAMP = Math.floor(Date.now() / 1000);
4
5
const XApiKey = `${API_KEY}|${UNIX_TIMESTAMP}`;
6
const signature = crypto.createHmac('sha256', secret)
7
.update(XApiKey, 'utf-8')
8
.digest('hex');
9
const XApiSignature = `sha256=${signature}`;
Copied!
1
import time
2
import hmac
3
import hashlib
4
5
timestamp = str(int(time.time()))
6
x_api_key = ${API_KEY} + "|" + timestamp
7
8
signature = hmac.new(
9
str.encode(${API_SECRET}),
10
x_api_key.encode('utf8'),
11
digestmod=hashlib.sha256
12
).hexdigest()
13
x_api_signature = "sha256=" + signature
Copied!
Studio API - Previous
Getting Started
Next - Studio API
Studio CLI
Last modified 1yr ago
Export as PDF
Copy link
Contents
Authentication
Implementation examples