API User Scope

Calls as an API User include a string in the 'Authorization' header that is similar to the one used in Customer-level scope, with 3 exceptions:

  1. You'll use your API account username instead of customer ID for 'sig_field'.

  2. You'll use your API account private key instead of the merchant hash key.

  3. You'll need to supply another header value: 'og-authorization'. This tells our system that a user, not a customer, needs to be authenticated, and requires a value of True(case sensitive).

headers = {
  'authorization': '{"public_id": "39bkas893740ng49023u0m23049209n2", "ts": 1488466536, "sig_field": "test_user", "sig": "BNobNOMlv3DDv6IXs861hx6WMM/4qP4V18tSYM8mPoQ="}',
  'content-type': 'application/json',
  'og-authorization': 'True'
public_idPublic API key for your account (also your merchant ID)39bkas893740ng49023u0m23049209n2
tsCurrent Unix epoch timestamp - resolution in seconds1488466536
sig_fieldAPI account usernametest_api_user
sigGenerated HMAC signatureBNobNOMlv3DDv6IXs861hx6WMM/4qP4V18tSYM8mPoQ=

Hashing Signature Values

Your HMAC signature('sig') is the product of hashing the '<sig_field>|' value. See 'Signature Generation'.

Example Call in API User Scope

const request = require('request');    // npm install request
const CryptoJS = require("crypto-js"); // npm install crypto-js

function ogAuthorization(ogClientId, ogUserName, ogUserHashKey) {
    let ts = Math.floor(new Date().getTime() / 1000);
    let hash = CryptoJS.HmacSHA256(ogUserName + '|' + ts, ogUserHashKey);
    return JSON.stringify({
        public_id: ogClientId,
        sig_field: ogUserName,
        ts: ts,
        sig: CryptoJS.enc.Base64.stringify(hash)

const ogClientId = 'ogClientId'; // REPLACE ME
const ogUserName = 'ogUserName'; // REPLACE ME
const ogHashKey  = 'ogHashKey';  // REPLACE ME
const url = 'https://staging.restapi.ordergroove.com/products/';
const headers = {
    'Content-Type': 'application/json',
    'Authorization': ogAuthorization(ogClientId, ogUserName, ogHashKey),
    'OG-Authorization': 'True'

request({ url, headers }, function(error, response, body) {
    if (!error && response.statusCode == 200) {
    } else { 

import requests

url = 'http://hostname/resource'
headers = {
  'authorization': '{"public_id": "39bkas893740ng49023u0m23049209n2", "ts": 1488466536, "sig_field": "test_user", "sig": "BNobNOMlv3DDv6IXs861hx6WMM/4qP4V18tSYM8mPoQ="}',
  'content-type': 'application/json',
  'og-authorization': 'True'
response = requests.get(url, headers=headers)