HMAC Signature Generation

Every authentication string must be signed with an HMAC hash of the sig_field and ts fields.

Using node, the code looks like

const CryptoJS = require("crypto-js"); // npm install crypto-js

let ts = Math.floor(new Date().getTime() / 1000);
let sig_field = '<customerId>';
let body = sig_field + '|' + ts;
let hash = CryptoJS.HmacSHA256(body, '<hash_supplied_by_OG>');
let hash_base64 = CryptoJS.enc.Base64.stringify(hash);
//hash_base64 is the value to populate the "sig" key with

Or, if you are using trust groups, it looks like:

CryptoJS.HmacSHA256("<sig_field>|<trust_group>|<ts>", '<hash_supplied_by_OG>');

Just about every major language has libraries that help you generate this hash. Below are some examples, and here's the whole list.

Command Line

$ echo -n 'test_user|1488466536' | openssl dgst -sha256 -hmac 'NT2kBcFx%!7dnAOVv9}i3CR*<L66w5' -binary | base64


import base64
import hashlib
import hmac
import time

user = "test_user"
timestamp = int(time.time())
secret_key = "NT2kBcFx%!7dnAOVv9}i3CR*<L66w5"
user_and_time = "{}|{}".format(user, timestamp)
hash_obj =, msg=bytes(user_and_time), digestmod=hashlib.sha256)
signature = base64.b64encode(hash_obj.digest())