Key Exchange
1. Signed Request
All information exchanges between APIs must use the HTTPS protocol¹ and asymmetric signing². Our implementation model for signing is based on the one used by Amazon³, with the primary difference being the use of asymmetric keys that add a layer of non-repudiation to the communication.
All our APIs only accept HTTPS requests using TLS 2.0
All communication with QI is signed, both requests and responses, which means there is a parameter in the messages that ensures their authenticity. To perform such signing, QI uses a standard with asymmetric keys, so there are two different keys, one for signing (private key) and one for reading (public key). The signatures follow the JWT standard⁴ and the ECDSA SHA512 encryption algorithm⁵ (We HIGHLY recommend exploring the site https://jwt.io/, where you can validate JWTs and discover libraries to handle these tokens in virtually any modern programming language).
The use of this combination of technologies aims to create a secure communication channel that ensures the messages sent could only come from a source that possesses the private key to sign them. For this reason, the public-private key pair needs to be created independently by each party, and the private key must be kept secret, not disclosed to any third party or interested party, not even to QI.
2. Key Exchange (Public and Private)
To generate your private key on a UNIX computer, run:
$ ssh-keygen -t ecdsa -b 521 -m PEM -f jwtECDSASHA512.key
And from this private key, generate your public key:
$ openssl ec -in jwtECDSASHA512.key -pubout -outform PEM -out jwtECDSASHA512.key.pub
3. Generating Public and Integration Keys for QI Tech
As part of signing requests and responses, it's necessary for you to provide your public key to us, and for us to provide a public key to you, so that message reading can be done at both ends of the communication. Additionally, we provide a unique UUID key that represents your API integration within our system.
To receive both keys, log in to the QI Tech platform sandbox environment. Click on "My Profile" located in the left sidebar menu, then go to the Integration tab. After that, insert your public key in the first field and click the "SAVE KEY" button. Once this is done, the public and integration keys of QI Tech will be available in the lower fields.
Never provide your private key; it is for your exclusive use, and sharing it instead of the public key compromises the security of your requests. Furthermore, do not share your QI Tech public keys and integration key as they are your means of communication with our APIs.