API Reference
🇧🇷🇪🇸Community in Discord
Start typing to search…

Chats API authorization

Headers

Chats API authorization differs from the authorization used in other Kommo API methods. In order to work with Chats API, you do not need to pass an Access Token, but you must include the following headers in all requests to amojo.kommo.com:

  • Date
  • Content-Type
  • Content-MD5
  • X-Signature

Header

Description

Date

Date and time of the request generation, the signature will be valid for 15 minutes from the date of the request generation.

Content-Type

Request data type, currently only application/json is supported.

Content-MD5

For the request body, you need to calculate the md5 hash and specify it in the header in lower case. It is important to keep in mind that the request body is calculated as a byte stream, without taking into account the end of the json markup, and if there is \n or spaces at the end, they will also be taken into account. For GET requests, md5 must also be calculated, even if nothing is passed to the request body (you will get md5 from an empty string)

X-Signature

Request signature. A string is formed from the method name (GET/POST) in uppercase and the values ​​(as specified in the request without changes) of the headers by combining them via \n. The header values ​​must follow the certain order. In general, if the header is missing, an empty string is specified instead. Next, you have to add the requested path from the URL without the protocol and domain (without GET parameters) to the string. Then calculate the resulting string using HMAC-SHA1, and for secret use the channel secret obtained during chat channel registration. We specify the resulting hash in lowercase in the X-Signature header

🚧

It's important not to use a secret key in the frontend of the widget. Any requests using the secret key should only be made from the backend part of your application.

Formation of signatures and headers

As mentioned earlier, all requests must have a number of headers, including X-Signature, the value of which is the SHA1 hash of the request body, signed with a secret key.Using a secret key allows you to check the integrity of the useful data and its origin.

You can check out the recipe for counting your Chats API headers in Python and PHP here: