Cryptographic signature of information responses

v1.0, May 2024

      Public key

      Reports that can be signed

      Notes

This document describes cryptographic signature that is used to verification some responses.

Public key

WebApi exposes public api HTTP REST endpoint (https://some_WebAPI/v1/keys/) with public certificates in JWK format.

Reports that can be signed

Report

String for signing

AccountsReport

“access_token_id,trader_id,account_id1,account_id2,…,account_idN”, order of accounts the same as in the report.

EntitlementReport

“access_token_id,trader_id,entitlement_type1,entitlement_code1,entitlement_type2,entitlement_code2,…,entitlement_typeN,entitlement_codeN”, order of entitlements the same as in the report.

Notes

      Algorithm for verification signature is RsaSha256.

      Response can be signed only if logon was with access token (otherwise WebAPI will send empty signature).

      Each chunk of a report will be signed.