Every authentication string must be signed with an HMAC hash of the sig_field and ts fields.
Using node, the code looks like
const CryptoJS = require("crypto-js"); // npm install crypto-js
let ts = Math.floor(new Date().getTime() / 1000);
let sig_field = '<customerId>';
let body = sig_field + '|' + ts;
let hash = CryptoJS.HmacSHA256(body, '<hash_supplied_by_OG>');
let hash_base64 = CryptoJS.enc.Base64.stringify(hash);
//hash_base64 is the value to populate the "sig" key with
Or, if you are using trust groups, it looks like:
CryptoJS.HmacSHA256("<sig_field>|<trust_group>|<ts>", '<hash_supplied_by_OG>');
Just about every major language has libraries that help you generate this hash. Below are some examples, and here's the whole list.
Command Line
$ echo -n 'test_user|1488466536' | openssl dgst -sha256 -hmac 'NT2kBcFx%!7dnAOVv9}i3CR*<L66w5' -binary | base64
BNobNOMlv3DDv6IXs861hx6WMM/4qP4V18tSYM8mPoQ=
Python
import base64
import hashlib
import hmac
import time
user = "test_user"
timestamp = int(time.time())
secret_key = "NT2kBcFx%!7dnAOVv9}i3CR*<L66w5"
user_and_time = "{}|{}".format(user, timestamp)
hash_obj = hmac.new(key=bytes(secret_key), msg=bytes(user_and_time), digestmod=hashlib.sha256)
signature = base64.b64encode(hash_obj.digest())