API Authentication

To connect to our API’s, all requests must be authenticated. Please follow the guides below to authenticate against our API’s.


Connecting to OneFlow RESTful API’s will require TLS 1.2 for all HTTPS connections.

If you need help to ensure that your environment is ready for this you can follow one of these checks.


OneFlow RESTful API’s use an HTTP Authorization header to pass authorization information. Under the OneFlow authorization scheme, the Authorization header has the following form:

x-oneflow-authorization: Token:Signature

OneFlow User accounts are created via the SiteFlow website and are issued with an access token and secret key. For request authorization, the Token element identifies the access key ID that was used to compute the signature and, indirectly, the user account making the request.

The Signature element is the RFC 2104HMAC-SHA1 of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request. If the request signature calculated by the system matches the Signature included with the request, the requester will have demonstrated possession of the OneFlow secret access key. The request will then be processed under the identity, and with the authority, of the developer to whom the key was issued.

In addition to the Authorization header the request must also contain a ‘x-oneflow-date’ header which contains the timestamp used in the Signature encryption. Below is an example of the headers used in the the request

x-oneflow-authorization: 124213431243214:1f32c4a3455b67a5d7

x-oneflow-date: 2014-03-10 17:16:18

Generating The Authorization Request Header

Below are some code examples which generate the `x-oneflow-authorization` header detailed above.


// We use the crypto NPM module for encryption of the signature
var crypto = require('crypto');
var stringToSign = method + " " + path + " " + timestamp;
var hmac = crypto.createHmac("SHA1", secret);
var signature = hmac.digest("hex");
var authHeader = token + ":" + signature;


// Required for use HMACSHA1:
using System.Security.Cryptography;
string stringToSign = method + " " + path + " " + timestamp;
HMACSHA1 hmac = new HMACSHA1(Encoding.UTF8.GetBytes(secret));
byte[] signatureBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign));
string signature = BitConverter.ToString(signatureBytes).Replace("-", "").ToLower();
string authHeader = token + ":" + signature;


   $stringToSign = strtoupper($method) . ' ' . $path . ' ' . $timestamp;
   $signature = hash_hmac('sha1', $stringToSign, $secret);
   $authHeader = $token . ':' . $signature;