# Authentication

## **API Keys**
Omniex uses API keys to authenticate all API calls. You can generate your organization’s API keys from our [web platform](#topic-environments).

All requests require authentication and must contain the following HTTP headers:

       - ONX-API-KEY
       - ONX-API-TIMESTAMP
       - ONX-API-SIGNATURE

ONX-API-KEY is your API key in plain text format, for example:

       ONX-API-KEY: b60d121b438a380c343d5ec3c2037564b82ffef3

    ONX-API-TIMESTAMP is the request’s Unix timestamp in milliseconds, for example:

       ONX-API-TIMESTAMP: 1607623851876

    ONX-API-SIGNATURE is a user-generated SHA384 HMAC unique signature for a request, for example:

       ONX-API-SIGNATURE: 736d53a7717857c173df211f51899c445736ee3c96e9ac13fb250443b0064011

## **Creating the Signature**

    1. First, construct the pre-hash payload by concatenating the following elements:

               [HTTP method] + [request path] + [request body] + [timestamp]

                 Note:
                   - The HTTP method is case-sensitive.
                   - The request path should omit any query parameters.
                   - Where there is no request body, use an empty string.
                   - The timestamp should be identical to the ONX-API-TIMESTAMP header.
                   - Requests with a timestamp older than 30 seconds will be rejected.

    2. Then, create a SHA384 HMAC of the payload above using your API secret. For example, using Python code the following script represents how to generate headers to request the portfolios endpoint:

> import hmac
>
> import hashlib
> import time
> 
> api_key = 'your api key here'
> secret = 'your api secret here'
>                 
> http_method = 'GET'
> request_path = '/edge/v1beta/portfolios'
> request_body = ''
> timestamp = str(int(time.time() * 1000))
>                
> payload = http_method + request_path + request_body + timestamp
>               
> hash_hmac = hmac.new(secret.encode(), payload.encode(), hashlib.sha384)
> request_hash = hash_hmac.digest().hex()
>              
> headers = {
>                    'ONX-API-KEY': api_key,
>                    'ONX-API-TIMESTAMP': timestamp,
>                    'ONX-API-SIGNATURE': request_hash
>                   }

       

## Example
```
$ curl \
 -X GET https://api.omniex.io/edge/v1beta/portfolios \
  -H "X-API-KEY: fI7xlbw7e2" \
  -H "X-API-TIMESTAMP: 1606940938725" \
  -H "X-API-SIGNATURE: 3181a3c21da8a5bb952076cc3655cc17de3d63efa790282c3625d21fee52db4a" \
```