To authenticate an API call successfully, pass a consumer ID and digital signature in the header for every API call.
Register as a Walmart 1P Supplier to receive a consumer ID and private key. Log into Developer Portal to obtain these items. For instructions, see Introduction to DSV APIs (change to new link and name when push to prod.)
You can use the consumer ID and private key, along with other required header parameters, to generate a digital signature.
Integration Steps: Digital Signature-Based Authentication
Drop ship vendor (DSV) suppliers can integrate with the 1P Supplier APIs by calling an API and generating a digital signature.
- Choose a GET method to call one of the 1P Supplier resources. For example, call GET Feed Status: GET /v3/feedstatus.
- Generate a digital signature.
Note: The digital signature will expire in 15 minutes; regenerate the signature using the same procedure. There are two ways to generate a digital signature:
Using the executable Java Archive (JAR) file eliminates a majority of authentication issues.
Pass the following header keys to authenticate drop ship vendor (DSV) API call:
Name | Description | Required | Example |
---|---|---|---|
Accept | Specifies the returned data format in the response. The value may be either application/xml or application/json , dependent on the API or request. Valid values are: application/xml application/json | Yes | application/xml |
WM_CONSUMER.CHANNEL.TYPE | Specifies an identifier to track the consumer request by channel. Use the consumer channel type received during onboarding. | No | 0f3e4dd4-0514-4346-b39d-… |
WM_CONSUMER.ID | Specifies the identifier Walmart assigns to each supplier. Get this identifier by logging in to the supplier account. It is required to access the API. This value is only required when using digital signature based authentication. | Yes | 2d6cf199-9b07-4350-bb2b9-0db3c2 |
WM_QOS.CORRELATION_ID | Specifies an identifier for each API call and is used to track and debug issues. | Yes | 1234hfvgtr |
WM_SEC.AUTH_SIGNATURE | Specifies the digital signature of the vendor. For more about generating the digital signature (JAR file and custom generation code), see the Authentication with Digital Signature[JK1] [JK2] [JK3] section. The value is required for digital signature based authentication. | Yes | 9fg3TPeRt0WSGbXNGGj4kSQ9L6PMBX…..9Zj5aDyg= |
WM_SEC.TIMESTAMP | Specifies the timestamp of the API request, in Unix format. This value is required for digital signature based authentication. | Yes | 1443748249449 |
WM_SVC.NAME | Specifies Walmart service name. | Yes | Walmart Gateway API |
Note: The content type for GET calls is not required, but may be automatically pre-filled and cause a system error during authentication. If a supplier receives this error, check to see if content type is included as a header parameter. If included, remove it.
If you are having trouble connecting to Developer Center, refer to Troubleshooting.
- Make sure the call does not throw a 400 or 401 error. For more information, refer to Error Codes guide in the Errors category.
- If a 400 HTTP status code is received, validate the mandatory headers and all mandatory query or path parameters.
- If a 401 HTTP status code is received, verify the digital signature.
Generate a Digital Signature Using an Executable JAR File (Recommended):
To generate a digital signature using the executable Java Archive (JAR) file, follow these steps:
- Download Java 6.0 or greater. If it is not installed, go to: https://java.com/en/download
- Download the executable Java Archive (JAR) file: digitalSignatureUtil-1.0.0.jar
- Use the following command to run the executable Java Archive (JAR) file: java -jar DigitalSignatureUtil-1.0.0.jar DigitalSignatureUtil {requestUrl} {consumerId} {privateKey} {requestMethod} {filePath}
Note: A supplier’s program must run this executable Java Archive (JAR) file in the directory where the executable Java Archive (JAR) file is located.
Running the executable Java Archive (JAR) file returns the following two headers as the console output:
- WM_SEC.AUTH_SIGNATURE
- WM_SEC.TIMESTAMP
The executable Java Archive (JAR) file uses five parameters. See the table below:
Name | Description | Required |
---|---|---|
requestUrl | Specifies the full URL to call, including path and query parameters | Yes |
consumerId | Specifies the consumer ID retrieved from Developer Center after login | Yes |
privateKey | Specifies the vendor’s Base-64-encoded, PKCS#8 stored private key | Yes |
requestMethod | Specifies the request method. Use the GET method to call this API. | Yes |
filePath | Specifies the absolute (full) path of the file desired for the digital signature and timestamp. The digital signature and timestamp can also be viewed in the console. | Yes |
Note: Generate a digital signature and timestamp for every API call, even if it is for the same API.
Sample call to the executable Java Archive (JAR):
java -jar DigitalSignatureUtil-1.0.0.jar DigitalSignatureUtil https://api-gateway.walmart.com/v3/feeds/d4885da4-9bc1-4296-b26f-57e3cb0e0fc9?includeDetails=true 9a4d7659-100c-4d5e-a6b0-26faad4c9132 MIICeAIBADANBgkqhkiG9w0BAQEFAA... GET HelloWorld
Sample output authentication signature (Note: For security reasons, the authentication signature is truncated):
WM_SEC.AUTH_SIGNATURE:Lhq8pXEC9...
WM_SEC.TIMESTAMP:1438149671421
Generate a Digital Signature with Self-Written Code
To get the digital signature using self-written code, follow these steps:
- Get the consumer ID and private key from the Developer Portal.
- Get the full URL the supplier wishes to call, including any path and query parameters.
- Use the GET method to construct an input for the digital signature.
Use the structure listed below:
The Consumer ID_ + “n” + the URL of the API call + “n” + the request method of the API call in all capitals + “n” + the current Unix epoch timestamp + “n”
Note: The order of the parameters and the line returns n are important to generate the signature properly; see the sample code in the right pane.
- Generate the byte array of the structured data listed in step 3 using the following steps:
- Decode the byte array with Base-64.
- Encode the resulting value using PKCS#8 to represent your private key.
Libraries in various languages offer the ability to identify that the private key is in PKCS#8 format and not in other conflicting formats such as PKCS#1. - Use this byte representation of the private key to sign the data using Secure Has Algorithm (SHA-256) with RSA.
- Encode the generated digital signature using Base-64.
- Use the generated digital signature and timestamp to Unix format to make an API call.
Sample Signing Code: JAVA
import org.apache.commons.codec.binary.Base64;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.spec.PKCS8EncodedKeySpec;
public class SHA256WithRSAAlgo {
private static String consumerId = "b68d2a72...."; // Trimmed for security reason
private static String baseUrl = "https://api-gateway.walmart.com/v3/feeds";
private static String privateEncodedStr = "MIICeAIBADANBgkqhkiG9w0BAQEFAA......"; //Trimmed for security reasons
public static void main(String[] args) {
String httpMethod = "GET";
String timestamp = String.valueOf(System.currentTimeMillis());
String stringToSign = consumerId + "n" + baseUrl + "n" + httpMethod + "n" + timestamp + "n";
String signedString = SHA256WithRSAAlgo.signData(stringToSign, privateEncodedStr);
System.out.println("Signed String: " + signedString);
}
public static String signData(String stringToBeSigned, String encodedPrivateKey) {
String signatureString = null;
try {
byte[] encodedKeyBytes = Base64.decodeBase64(encodedPrivateKey);
PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(encodedKeyBytes);
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey myPrivateKey = kf.generatePrivate(privSpec);
Signature signature = Signature.getInstance("SHA256withRSA");
signature.initSign(myPrivateKey);
byte[] data = stringToBeSigned.getBytes("UTF-8");
signature.update(data);
byte[] signedBytes = signature.sign();
signatureString = Base64.encodeBase64String(signedBytes);
} catch (Exception e) {
e.printStackTrace();
}
return signatureString;
}
}
Troubleshooting
New users can experience difficulty when trying to integrate with the platform for the first time. Typically, errors occur when incorrect headers are generated (such as the timestamp or authentication signature). To avoid errors, use the headers listed in the header samples displayed in each corresponding section.
Sample Request Header:
WM_SVC.NAME: Drop Ship Vendor Services
WM_CONSUMER.ID: a20ac266-9add-4fc7-9392-fec303f5155c
WM_SEC.TIMESTAMP: 1438147839
WM_SEC.AUTH_SIGNATURE: j7Lh5PeRt0WSGbXNGGj4kSQ9L6PMBX/q+ovdy9bDQfvdhYs8NoEsjRX4fD7UNIHTddgkmSVqAqeIIHlaLcRIl0Y4DcJqQYHL27LiWlsm91nYodGssWTKsOq6dJfUHEy95M4zXFGWDDhbHYCor28SCV/g/JdEQybGkcX9Zj5aDyg=
WM_CONSUMER.CHANNEL.TYPE: 0f3e4dd4-0514
Testing the API Calls
To accelerate development, supplier can use an online tool such as the Google Chrome Advanced Rest Client App (ARCA), Postman, etc.
To test API calls using the Advanced Rest Client App (ARCA), follow the steps below:
- Enter the URL: https://api-gateway.walmart.com/v3/feeds?feedType=SUPPLIER_FULL_ITEM
- Select GET from the drop-down menu.
- Configure the headers as listed in step 3 of the ‘Integration Steps’ section.
- Click Send.
If basic API calls are successful from the Advanced Rest Client App (ARCA) but are not successful from the self-written code, the problem lies in the self-written code. If the calls fail from the ARCA, there is a problem with the headers in the call.
Troubleshooting Hints
- If the call from the Advanced Rest Client App (ARCA) succeeds, the headers are correct. However, if the call fails, examine the headers.
- If the call from the Advanced Rest Client App (ARCA) fails and suppliers are not using the executable Java Archive (JAR) file, generate the headers using the executable Java Archive (JAR) file and try again. If the call now succeeds, either start using the executable Java Archive (JAR) file in place of the self-written authentication code, or adjust the self-written code to generate the headers correctly.
- If the call from the Advanced Rest Client App (ARCA) fails while using the executable Java Archive (JAR) file, generate a new set of credentials from Developer Portal and retry with the new credentials. This ensures that the credentials are not obsolete, or suppliers have not reset the private key recently.
- If the Advanced Rest Client App (ARCA) is configured correctly and the most current credentials are being used, but errors still exist, contact Partner Support.