Authentication

Accesing Ipsos APIs

๐Ÿ“˜

Get credentials

Please reach out to [email protected] and request credentials, so you can use them to authenticate and test our APIs in a Swagger interface.

Feasibility

There is a simple method of validating that Ipsos is the one calling your feasibility end point and not other unauthorized users of the web service: review the "X-RequestValidationMessage" http header added to each request from Ipsos.

The RequestValidationMessage is a SHA256 hash of the body POSTed to your FeasibilityEndpoint with your password appended to the message returned in base 64 encoding. Using your API password configured in our system, you can calculate the hash and validate that the message came from Ipsos.

If you donโ€™t know your password or what to get a new one, please contact: [email protected]

The steps to calculate the X-RequestValidationMessage to compare against the header are shown below.

#!/usr/bin/env python3
import hashlib,base64
#supplier id's password setup by Ipsos Supplier Support
password = "password"
#example file contains the request body sent to the endpoint.
responseUTF8 = open("myRequest.json", "r", encoding="utf8").read()
#the validation message is the base64(sh256(bytes(requestContent+password)))
unhashedMessage = responseUTF8 + password
m = hashlib.sha256()
# add bytes to digest
m.update(unhashedMessage.encode('utf8')) 
hash = m.digest()
#convert to base 64 
encoded = base64.b64encode(hash).decode("utf-8")
#now check to see if the hash matches to verify the request was sent by Ipsos with the password saved.
print(f"calculated validation hash is  '{encoded}' and should match request header X-RequestValidationMessage")
using System.Security.Cryptography;

namespace ConsoleApplicationHashCodeValidation
{
    class Program
    {
        static bool compareHash(string hashCodeFromHeader, string requestBody, string supplierPassword)
        {
            var sha256 = SHA256.Create();
            var hash = sha256.ComputeHash(Encoding.UTF8.GetBytes(requestBody + supplierPassword));
            var calculatedHash  = Convert.ToBase64String(hash);
            return calculatedHash  == hashCodeFromHeader;
        }
    }
}
<?php
    $password = "password";
    $responseUTF8 = file_get_contents("myRequest.json");
    $unhashedMessage = $responseUTF8 . $password;
    $hash = hash("sha256", $unhashedMessage, True);
    $encoded = base64_encode($hash);

    echo "calculated validation hash is '$encoded' and should match request header X-RequestValidationMessage";
?>

Supply

Authorization method: /token

Using POST, call the /token method by sending the below data, that basically represents your current credentials.

grant_type=password&username=[SUPPLIER_API_USERNAME]&password=[SUPPLIER_API_PASSWORD]

And be sure to send the in request header named "UserType" with the value of "2". The request header "UserType" with a value of "2" will signal a supplier token instead of other role types.

This will return the below object if credentials are valid in the requested realm.
expires_in reflects the number of seconds the token is still valid.

{"access_token": "[AUTH_TOKEN]",
"token_type": "bearer",
"expires_in": 1799
}