Partner Portal

English

简体中文

English

简体中文

Appearance

Quickstart

Get from zero to a successful API call using the Partner API chain with HMAC-SHA256 authentication.

Prerequisites

  • API running at http://127.0.0.1:18020/prometheus
  • A Partner portal API key and secret (provisioned through the portal UI)
  • curl or any HTTP client

Step 1: Verify the API is reachable

bash
curl http://127.0.0.1:18020/prometheus/actuator/health
# Expected: {"status":"UP"}

Step 2: Sign and send a request

The Partner API chain requires four headers on every request:

HeaderValue
AuthorizationHMAC-SHA256 <base64-signature>
X-Api-KeyYour API key (e.g. sk_live_abc123)
X-TimestampUnix epoch in seconds (e.g. 1709337600)
X-NonceUnique request identifier (e.g. UUID)

Signature construction 

stringToSign = METHOD + "\n" + PATH + "\n" + TIMESTAMP + "\n" + NONCE + "\n" + BODY
signature   = Base64(HMAC-SHA256(apiSecret, stringToSign))

Example: Initiate login

bash
API_KEY="sk_live_abc123def456"
API_SECRET="your-api-secret-here"
TIMESTAMP=$(date +%s)
NONCE=$(uuidgen)
METHOD="POST"
PATH="/api/v1/partner/auth/login/initiate"
BODY='{"email":"partner@example.com","password":"Str0ngP@ss!"}'

STRING_TO_SIGN="${METHOD}\n${PATH}\n${TIMESTAMP}\n${NONCE}\n${BODY}"
SIGNATURE=$(echo -ne "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$API_SECRET" -binary | base64)

curl -X POST "http://127.0.0.1:18020/prometheus${PATH}" \
  -H "Authorization: HMAC-SHA256 ${SIGNATURE}" \
  -H "X-Api-Key: ${API_KEY}" \
  -H "X-Timestamp: ${TIMESTAMP}" \
  -H "X-Nonce: ${NONCE}" \
  -H "Content-Type: application/json" \
  -d "$BODY"

Expected response:

json
{
  "version": "2.0.0",
  "success": true,
  "code": "2000",
  "data": {
    "sessionId": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
    "mfaMethods": [
      { "code": "EMAIL", "value": 10011001 }
    ],
    "expiresIn": 300
  }
}

Step 3: Fetch reference data

Once authenticated, you can call other Partner endpoints:

bash
curl "http://127.0.0.1:18020/prometheus/api/v1/partner/constants/countries" \
  -H "Authorization: HMAC-SHA256 ${SIGNATURE}" \
  -H "X-Api-Key: ${API_KEY}" \
  -H "X-Timestamp: ${TIMESTAMP}" \
  -H "X-Nonce: ${NONCE}" \
  -H "Content-Type: application/json"

Common 403 Causes

  1. Using /web/v1/** paths instead of /api/v1/**
  2. API key lacks the required scope
  3. Timestamp drift beyond the 60-second validity window
  4. Nonce reuse (replay protection)

Next Steps

SlaunchX Internal Documentation

Copyright © 2026 SlaunchX