Key Exchange
1. Signed Request
All API exchanges must use HTTPS protocols and asymmetric signing. Our encoded header signature is based on Amazon', with its primary difference being the use of asymmetric keys that add a layer of non-repudiation to the communication.
All our APIs only accept HTTPS requests using TLS 2.0
All communication with QI is signed, both requests and responses, which means there is a parameter in the messages that ensures their authenticity. To perform such signing, QI uses asymmetric keys, so there are two different keys, one for signing (private key) and one for reading (public key). The signatures follow the JWT standard and the ECDSA SHA512 encryption algorithm (We HIGHLY recommend exploring the site https://jwt.io/, where you can validate JWTs and discover libraries to handle these tokens in virtually any modern programming language).
The aim of using this technology combination is to create a secure communication channel which ensures that sent messages could only come from a source that possesses the signature private keys. For this reason, the public-private key pair needs to be created independently by each party, and the private key must be kept secret, not to be disclosed to any third party or interested party, not even to QI.
2. Key Exchange (Public and Private)
Generate your private key on a MAC OS computer by running the following command on your terminal:
openssl ecparam -name secp521r1 -genkey -noout -out ec512-private.pem
And from this private key, generate your public key:
openssl ec -in ec512-private.pem -pubout -out ec512-public.pem
3. Generating Public and Integration Keys for QI Tech
As part of your requests and response signature, it is necessary for you to provide your public key to us, and for us to provide a public key to you, so message decoding can be done by both ends. Additionally, we provide a unique UUID key that represents your API integration within our system.
To receive said keys, log in to the QI Tech platform sandbox environment. Click on "My Profile" located in the left sidebar menu, then go to the Integration tab at the top of the page. After that, insert your public key in the first field and click the "SAVE KEY" button. Once this is done, the public and integration keys of QI Tech will be available in the lower fields.
Never share your private key; it is exclusively yours to use, and sharing it instead of the public key compromises your requests' security. Additionally, do not share your QI Tech public keys and integration key as they are your means of communication with our APIs.