Appearance
Authentication
Your API key identifies your supplier account. Only catalog rows and orders that belong to your integration are visible through the API.
Keys are stored securely on our side (we keep a hash, not the plain secret). You only see the full key when it is first issued.
Headers
| Method | Header |
|---|---|
| Bearer | Authorization: Bearer <api_key> |
| Raw token | X-Supplier-Token: <api_key> |
Leading and trailing spaces around the key are ignored. If the key is missing or wrong, the API responds with 403 Forbidden.
Optional key identifier
You may send X-Supplier-Key-Id with a numeric identifier we give you for that key. It can speed up lookup on our side. If the id does not match, we still try other keys linked to your account.
Optional HMAC signing
If the Ask Ayurveda team enables HMAC for your credential, every request must also include:
| Header | Purpose |
|---|---|
X-Supplier-Timestamp | Unix time in seconds when you sign the request (must be within a few minutes of our server time). |
X-Supplier-Signature | Hex-encoded HMAC-SHA256 of a short canonical string, using your API key as the secret. |
Canonical string (newline-separated parts):
- The same timestamp as in
X-Supplier-Timestamp - The HTTP method in uppercase (for example
GET) - The path including the query string (for example
/public-api/shop/v1/variants/?limit=1) - Lowercase hex SHA-256 of the raw request body (use the hash of an empty string for
GETand other bodies with no payload)
If the signature is wrong or the clock skew is too large, the API responds with 403 Forbidden.