Introduction

The BigCo API provides programmatic access to manage users, webhooks, and interact with various services. This documentation outlines authentication methods, request formats, and available endpoints.

Base URL: https://api.bigco.ai/api/v1

Authentication

API and webhook requests use HMAC to ensure data integrity and authenticity of messages. BigCo will generate and share an API username and secret per vendor, used to secure communications.

Requests must have the following headers.

Header	Description
x-bigco-hmac-username	The vendor username tied to the API secret.
x-bigco-hmac-sha256	base64 hash based signature of the request.
See “Generating the Signature” below
x-date	Time of request in UTC. ISO 8601 date and time format.
Example: `2024-03-05T17:52:11.345Z`
content-type	HTTP content type. Must be`application/json`
x-digest	Used to troubleshoot requests. base64 encoding of request body.
Note: this header is only required for POST and PUT calls.

Generating the Signature (x-bigco-hmac-sha256 header value)

The x-bigco-hmac-sha256 signature is required to ensure data integrity and authenticity.

The signature is generated asx-bigco-hmac-sha256 = Base64(HMAC-SHA-256(API_SECRET, StringToSign))

StringToSign Format

For GET and DELETE requests:

x-date: {x_date}
{request_method} {url_path_and_query}

For POST and PUT requests:

x-date: {x_date}
{request_method} {url_path_and_query}
x-digest: {body_base64}

{x_date}: The timestamp when you’re sending the request, in ISO 8601 format. This must match the x-date header value.
{request_method}: HTTP request method (i.e. GET, PUT, POST, etc.). This value is all caps.
{url_path_and_query}: The request URL path and query string after the domain. For example, for https://api.bigco.ai/api/v1/user?phone_number=+18459014549 the value would be /api/v1/users?phone_number=+18459014549
{body_base64}: base64 encoding of the request body (Note: JSON keys must be in alphabetical order and all whitespace and newlines must be removed)