API Key Authentication

You should have received your Rally API key by now, post registering your application with Rally's Admin. The Rally API key, a unique identifier (UUID), is auto-generated during the registration process, resembling something like ebfb7ff0-b2f6-41c8-bef3-4fba17be410c.

Given that anyone with access to your API key can make requests on your behalf, it's critical to maintain your API key's security and refrain from sharing it.

Passing the API Key

To authenticate your API requests with Rally Hooks and Webhooks, you must include your Rally API key. This is done by using the X-Api-Key custom header to input your key.
curl -i -X POST \
  https://api.onrally.com/connector-api/v1/webhooks/order-status-update \
  -H 'Content-Type: application/json' \
  -H 'X-API-KEY: ebfb7ff0-b2f6-41c8-bef3-4fba17be410c' \
  -H 'X-HMAC-SHA256: string' \
  -d '{
    "organization_id": "org_ABC",
    "external_id": "4603",
    "external_number": "4603",
    "status": "paid"

Security Considerations

While API key authentication is a convenient and straightforward method, its simplicity could potentially raise security issues. To alleviate such risks, it is crucial to use HTTPS for all API requests, thereby ensuring encryption of data in transit.

Besides HTTPS, our API mandates that requests and responses be signed with an HMAC and dispatched as a header along with the API key. Adhering to these practices can boost your API requests' security and guarantee data confidentiality.

For a comprehensive understanding of the HMAC signature, we suggest referring to our documentation, which delves deep into this subject.

Copyright © Rally Commerce, Inc. 2023. All right reserved.