# Authentication

## **Terms And Definitions**

*<mark style="color:orange;">**X-AIO-Auth-Type**</mark>*

This is a authorization/security scheme which is defined by AIO Exchange used to process the request, the scheme used is "AIO-HMAC".

*<mark style="color:orange;">**X-AIO-Sign**</mark>*

Any request must contain a singed header which is generated using your secret key, uri, request method, nonce, timestamp(UNIX timestamp in milliseconds ) and encoded payload combined overall with apikey, singed base64 string, nonce and timestamp.

&#x20;*<mark style="color:orange;">**API-Key**</mark>*

This  key  is passed along with the signed data which is supplied to you when you register with AIO Exchange.&#x20;

*<mark style="color:orange;">**API-Secret-Key**</mark>*

This key is used to generate the signed string and it is supplied to you when you register with AIO Exchange.&#x20;

*<mark style="color:orange;">**Nonce**</mark>*

This is a unique string associated to each request. This can be a Guid or a client request id.

*<mark style="color:orange;">**HTTP Request Method**</mark>*

The HTTP request method (GET, POST, PUT, DELETE, etc.), used to make a request must be included in the signed string.&#x20;

*Note: These methods are case sensitive.*

*<mark style="color:orange;">**Request URI**</mark>*

This is the absolute URI where the request are made and is included in the signed string.

*<mark style="color:orange;">**Payload MD5 Base64 String**</mark>*

Any payload sent to the API must be hashed using MD5 and parsed as a Base 64 string before being used for signing. This computed payload should then be passed into the signature string.

*<mark style="color:orange;">**Request Timestamp UTC**</mark>*

This is the UNIX timestamp (UTC) and the count starts at the Unix Epoch on January 1st, 1970 at UTC, the unix timestamp is merely the number of seconds between a particular date and the Unix Epoch. The Max Age of a request is allowed is 180 seconds.&#x20;

## **Signing a Request**

All the request has to be signed with header as *<mark style="color:orange;">**X-AIO-Sign**</mark>* containing signature generated.&#x20;

HMAC-SHA256 Encryption of

&#x20;( API-Key:HTTPMethod:RequestURI:RequestTimeStamp:Nonce:PayLoadBase64String )

*<mark style="color:orange;">**Code Example : C#**</mark>*

{% code lineNumbers="true" %}

```markup

using System;
using System.Net.Http;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
using Newtonsoft.Json;

  private readonly string APPId = "Your-API-KEY";
  private readonly string APIKey = "Your-Secret-API-KEY";
  private static void Main(string[] args)
    {
        
        string fullUrl = baseAdress + "api/v2/version";
        HttpClient client = new HttpClient();
        HttpResponseMessage responseMessage = null;
        string aioreqUri = System.Web.HttpUtility.UrlEncode(fullUrl);
        string aioreqHttpMethod = "GET";
        DateTime epochTimeStart = new DateTime(1970, 01, 01, 0, 0, 0, 0, DateTimeKind.Utc);
        TimeSpan timeSpanToUNIX = DateTime.UtcNow - epochTimeStart;

        string aioreqTimeStamp = Convert.ToUInt64(timeSpanToUNIX.TotalSeconds).ToString();
        string nonce =   Guid.NewGuid().ToString("N");


        bool isPayLoad = false;
        PayLoadModel objPayLoadModel = new PayLoadModel()
        {
            Value = "AIO.Exchange C# example!"
        };

        StringContent payLoadStringContent = new StringContent(JsonConvert.SerializeObject(objPayLoadModel), Encoding.UTF8, "application/json");



        byte[] aioreqContentHash = null;
        string aioreqContentBase64String = string.Empty;

        if (isPayLoad && !string.IsNullOrEmpty(await payLoadStringContent.ReadAsStringAsync()))
        {
            string contentString = await payLoadStringContent.ReadAsStringAsync();
            byte[] content = Encoding.UTF8.GetBytes(contentString);

            using (MD5 md5 = MD5.Create())
            {
                aioreqContentHash = md5.ComputeHash(content);
            }

            aioreqContentBase64String = Convert.ToBase64String(aioreqContentHash);
        }

        string prepareDataForsignature = $"{APPId}{aioreqHttpMethod}{aioreqUri}{aioreqTimeStamp}{nonce}{aioreqContentBase64String}";
        byte[] secretKeyToByteArray = Convert.FromBase64String(APIKey);
        byte[] signToBytes = Encoding.UTF8.GetBytes(prepareDataForsignature);

        using (HMACSHA256 hmac = new HMACSHA256(secretKeyToByteArray))
        {
            byte[] signatureBytes = hmac.ComputeHash(signToBytes);
            string aioreqSignedBase64String = Convert.ToBase64String(signatureBytes);

            client.DefaultRequestHeaders.Add("x-AIO-Auth-Type", "AIO-HMAC");
            client.DefaultRequestHeaders.Add("x-AIO-Sign", $"{APPId}:{aioreqSignedBase64String}:{nonce}:{aioreqTimeStamp}");
        }
                  
        responseMessage = await client.GetAsync(fullUrl);

        string responseToString = await responseMessage.Content.ReadAsStringAsync();

                  
  } 
```

{% endcode %}