Attention!

Looking for the most up-to-date Sales Tax Filing or CertManager documentation? Go to our new documentation platform, Sovos Docs. For Global Tax Determination, connector and CertManager API docs, stay here.

Authenticate with the CertManager API

Hash-Based Message Authentication Code (HMAC) is a secure way to connect to the Sovos Data Center. To generate an HMAC, you will need the following:

  • The secret key and access key provided by Sovos during onboarding
  • The current timestamp, called the request date

Each request to the Sovos Data Center must contain a valid HMAC for secure access. Without an HMAC, Sovos' authentication layer will reject the request.

Header formats

This table shows the header formats for HTTPS requests for generating the HMAC:

Key

Value
Authorization HMAC generated using the secret key, access key, and request date
x-request-date

Must be UTC combined date and time in ISO 8601 format

Example:

Date: December 4, 2024

Time: 11:36 AM ET (UTC-05:00)

ISO format: 2024-12-04T11:36:00-05:00

 

Example script (Javascript)

The following pre-request script is one method for generating the HMAC:

const ACCESS_KEY = '<insert access key>';
const SECRET_KEY = '<insert secret key>';
var timestamp = new Date().toISOString();

function getAuthHeader(secretKey, data) {
var hmacDigest = determineAuthDigest(data, secretKey);
var authHeader = ACCESS_KEY + ':' + hmacDigest;
return authHeader; }

function determineAuthDigest(data, secretKey) {
return CryptoJS.HmacSHA256(data, secretKey).toString(CryptoJS.enc.Base64); }

var authHeader = getAuthHeader(SECRET_KEY, timestamp + ACCESS_KEY);