Getting Started
This API requires an active license of the Curios platform. You can sign up for a Curios license with a FREE trial at www.curios.com/launch
Formatting Requests
Each request consists of the following key parts:
-
Resource URL
https://api.curios.com
. -
API version number
v2
. -
A resource endpoint path, such as
/api/collections
. -
Header values, with the following being required for every call:
curios-api-key
curios-date
curios-signature
(see "Request Signing" below) -
For authenticated endpoints, an authorization header value as
Authorization: Bearer {JWT}
(see "Customer Authentication" below) -
The type of request:
GET
,POST
,PUT
-
Body containing key/value pairs
--data-raw '{ "key": "value"}'
.
Request Signing
Every request must include a signature in the curios-signature
header value.
Signature requests are created by following very specific steps as outlined below - be warned, the slightest deviation from these steps could lead to your signature not validating.
STEP 1: Define the request date
The request date must be sent as a UTC date/time stamp.
The exact format of the value must be yyyy-mm-ddThh:mm:ss.000Z
(case sensitive).
STEP 2: Define the resource endpoint path
The resource endpoint path is the URL path values that exist AFTER /v2/api/.
The value must NOT have a leading slash or trailing slash.
The path must include any relevant ID values for those endpoints that require it.
The value is case sensitive.
CORRECT EXAMPLE: collections
INCORRECT EXAMPLE: /collections/
CORRECT EXAMPLE: collections/0xf9ab70b4141e2ffd61fc8396e0f7585e82d103c2
INCORRECT EXAMPLE: v2/api/collections/0xf9ab70b4141e2ffd61fc8396e0f7585e82d103c2
CORRECT EXAMPLE: customers/resetPassword
INCORRECT EXAMPLE: Customers/ResetPassword
STEP 3: Define the payload
Every signature requires payload value to create, which represents the serialized JSON body content containging arguments being submitted for the request.
For GET requests, the payload will be empty, which is represented as an empty JSON object: {}
.
STEP 4: Hash the payload
Once the payload is defined, it must be hashed using SHA256.
STEP 5: Concatenate the values into a string
The string values created for request date
, endpoint path
, and hashed payload
must be contactenated into a single string, with each value being separated by a space character.
var string_to_sign = {request date}+' '+{endpoint path}+' '+{hashed payload};
STEP 6: Create the signature
The signature is a "signed" version of the concatenated string, created with HMAC SHA256 encryption, using your API Secret
as the encryption key.
var signature = HmacSHA256(string_to_sign, {API Secret});
Customer Authentication
Many of the endpoints require the customer to be authenticated before accessing information. Use the customers/login
and customers/verify
endpoints to retrieve a JSON Web Token (JWT) that you will need to send as an "Authorization" header for endpoints requiring authentication.
--header 'Authorization: Bearer {JWT}' \