LogoLogo
  • PAVE OpenAPI Overview
  • How PAVE Works
    • Capture Link
    • Guided Capture
    • Customer Disclosures
    • Identified Vehicle Information
    • Captured Photos
    • Text Notifications
    • Inspection Results
    • Condition Report (PDF)
    • Detected Damages
    • Grading
    • Languages
    • Accuracy & Limitations
  • INTEGRATIONS
    • Developer Docs
      • Authentication
        • Generate Access Token
      • Sessions
        • POST Create Session
        • GET Session Data
        • GET Session Photos
        • GET Session Notes
        • GET Session Results
        • PUT Update Session
        • DELETE Session
      • Webhooks
        • GET All Callbacks
        • GET View a Callback
        • POST Create New Callback
        • PUT Update a Callback
        • DELETE a Callback
      • Deep Linking
        • Deep Link with React Native App
        • Deep Link Native App
        • Deep Linking with Shareable Links
      • Pass-Through Additional User Information
      • Tracking Your Sessions
      • User Session Lifecycle
      • Developer Testing
    • Account Optional Add-ons
      • Capture Only Theme (CAPT)
        • Skip Pictures
      • Right-Hand-Drive Capture Flow
  • MANAGING YOUR ACCOUNT
    • Your Guide to PAVE's Account and Enterprise Dashboards
  • Hotspots
    • PAVE Hotspots API
    • Activating PAVE Hotspots
    • Developer Docs
      • Authentication
        • Generate Access Token
      • Sessions
        • POST Create Session
        • POST Upload Photos
        • GET Results
  • OTHER RESOURCES
    • PAVE Capture Troubleshooting Guide
      • iPhone (iOS) Issues
        • Does my mobile phone work with PAVE?
        • Can't Access Camera - Incorrect Web Browser Usage
        • Can't Access Camera - Camera Permission Not Enabled
        • Camera Screen is Locked and won't Rotate
        • Inspection Get's Stuck
        • Inspection Won't Begin or Complete
        • Getting Back to an In-Progress Inspection
        • Why do I keep getting asked to retake pictures?
      • Android Phone Issues
        • Does my mobile phone work with PAVE?
        • Can't Access Camera - Incorrect Web Browser Usage
        • Can't Access Camera - Camera Permission Not Enabled
        • Camera Screen is Locked and won't Rotate
        • Inspection Gets Stuck
        • Inspection Won't Begin or Complete
        • Getting Back to an In-Progress Inspection
        • Why do I keep getting asked to retake pictures?
    • Policies
      • Service Level Agreement and Standards
      • Service Delivery Sub-Processors & Processors
      • API Strategy and Architecture
      • Information Security Policy
        • Data Quality Guideline
        • Data Retention Policy
        • Backup and Disaster Recovery
        • Data Residency
        • Data Access Control
Powered by GitBook
On this page
  1. INTEGRATIONS
  2. Developer Docs
  3. Authentication

Generate Access Token

Implementation Examples of Access Token Generation in Various Programming Languages

Create access token by using HMAC-SHA256

An access token can be generated by combining the api_key and timestamp string with the provided api_secret.

Attribute

Description

api_key

Get it from your PAVE Developer dashboard

api_secret

Get it from your PAVE Developer dashboard

timestamp

UTC Datetime string, example: 2021-05-30T12:49:19Z

Examples in Different Languages:

$token = hash_hmac('sha256', '<username>:<api_key>@<timestamp>', '<api_secret');
// https://www.php.net/manual/en/function.hash-hmac.php
const crypto = require('crypto');

const apiKey = 'your_api_key';
const apiSecret = 'your_api_secret';
const username = 'your_username';
const timestamp = (new Date()).toJSON(); 

const message = `${username}:${apiKey}@${timestamp}`;
const accessToken = crypto.createHmac('sha256', apiSecret).update(message).digest('hex');
import hashlib
import hmac
from datetime import datetime, timezone

api_key = 'your_api_key'
api_secret = 'your_api_secret'
username = 'your_username'

timestamp = datetime.now(timezone.utc).isoformat()

message = f'{username}:{api_key}@{timestamp}'
access_token = hmac.new(api_secret.encode('utf-8'), msg=message.encode('utf-8'), digestmod=hashlib.sha256).hexdigest()
package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"time"
)

func main() {
	apiKey := "your_api_key"
	apiSecret := "your_api_secret"
	username := "your_username"
	timestamp := time.Now().Format(time.RFC3339)

	message := fmt.Sprintf("%s:%s@%d", username, apiKey, timestamp)
	hmac := hmac.New(sha256.New, []byte(apiSecret))
	hmac.Write([]byte(message))
	access_token := hex.EncodeToString(hmac.Sum(nil))

	fmt.Println(signature) // prints the HMAC-SHA256 signature
}
import CommonCrypto
import Foundation

func hmacSha256(message: String, key: String) -> String {
    let messageData = message.data(using: .utf8)!
    let keyData = key.data(using: .utf8)!
    var hmacData = Data(count: Int(CC_SHA256_DIGEST_LENGTH))

    hmacData.withUnsafeMutableBytes { hmacPtr in
        CCHmac(CCHmacAlgorithm(kCCHmacAlgSHA256), (keyData as NSData).bytes, keyData.count, (messageData as NSData).bytes, messageData.count, hmacPtr)
    }

    return hmacData.map { String(format: "%02hhx", $0) }.joined()
}

let apiKey = "your_api_key"
let apiSecret = "your_api_secret"
let username = "your_username"

let dateFormatter = ISO8601DateFormatter()
dateFormatter.timeZone = TimeZone(secondsFromGMT: 0)
let timestamp = dateFormatter.string(from: Date())

let message = "\(username):\(apiKey)@\(timestamp)"
let accessToken = hmacSha256(message: message, key: apiSecret)
import java.nio.charset.StandardCharsets
import java.security.Key
import java.security.MessageDigest
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
import java.time.LocalDateTime
import java.time.OffsetDateTime
import java.time.ZoneOffset
import java.time.format.DateTimeFormatter

fun main() {
    val apiKey = "your_api_key"
    val apiSecret = "your_api_secret"
    val username = "your_username"
    
    val utcDateTime = LocalDateTime.now(ZoneOffset.UTC)
    val offsetDateTime = OffsetDateTime.of(utcDateTime, ZoneOffset.UTC)
    val formatter = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ssXXX")
    val timestamp = offsetDateTime.format(formatter)

    val message = "$username:$apiKey@$timestamp"
    val accessToken = hmacSha256(message, apiSecret)    
}

fun hmacSha256(message: String, key: String): String {
    val secretKey = SecretKeySpec(key.toByteArray(StandardCharsets.UTF_8), "HmacSHA256")
    val mac = Mac.getInstance("HmacSHA256")
    mac.init(secretKey)
    val hmac = mac.doFinal(message.toByteArray(StandardCharsets.UTF_8))
    return bytesToHex(hmac)
}

fun bytesToHex(bytes: ByteArray): String {
    return bytes.joinToString("") { "%02x".format(it) }
}

To generate the correct token, please make sure the combination string you are using with the 1) api_key, 2) timestamp and 3) api_secret are arranged in this order.

To generate the correct token, please ensure your timestamp is using UTC Datetime. And use the matching timestamp to the one included in your header when generating your token.

Replace <username>

with the primary account name that your representative initially provided. If you have an Enterprise account, use that account name, not one of the branch account. Do not set <username) as one of the user names you created in your dashboard.

PreviousAuthenticationNextSessions

Last updated 7 months ago