Skip to main content

AES Token Authentication

The B2B Whitelabel API uses a secure AES-256-ECB encrypted timestamp to ensure all requests are authentic and protected from tampering or replay attacks.

How to Authenticate

To authenticate your requests to the API, you will need two credentials:

  1. API Key (e.g. rzeo09mVG2): Your public identifier. You can find this in your Channel Partner Profile.
  2. Secret Key: A secure, 40-character string also found in your Channel Partner Profile. Keep this secret!

Using these two keys, your application must generate a dynamic access token for each request.

Generating the Access Token

The token must be generated dynamically at runtime because it includes an encrypted timestamp.

Here is how you generate the token in JavaScript/Node.js:

const crypto = require('crypto');

// 1. Enter your API Credentials from your Partner Dashboard
const apiKey = 'YOUR_PUBLIC_API_KEY';       
const apiSecret = 'YOUR_PRIVATE_SECRET_KEY'; 

// 2. Get current UTC Time in standard format (e.g. "2026-06-24 16:35:51")
const timestamp = new Date().toISOString().replace('T', ' ').substring(0, 19); 

// 3. AES-256 requires a 32-byte key. Take first 32 chars of the Secret.
const aesKey = apiSecret.substring(0, 32);

// 4. Encrypt the Timestamp (AES-256-ECB)
const cipher = crypto.createCipheriv('aes-256-ecb', aesKey, null);
cipher.setAutoPadding(true);
let encryptedTimestamp = cipher.update(timestamp, 'utf8', 'base64');
encryptedTimestamp += cipher.final('base64');

// 5. Combine Public API Key and Encrypted Payload
const payloadString = `${apiKey}|${encryptedTimestamp}`;
const finalToken = Buffer.from(payloadString).toString('base64');

// Send this in your API headers:
// headers: { "Partner-Access-Token": finalToken }

Here is how you generate the token in PHP:

<?php

// 1. Enter your API Credentials from your Partner Dashboard
$apiKey = 'YOUR_PUBLIC_API_KEY';
$apiSecret = 'YOUR_PRIVATE_SECRET_KEY';

// 2. Get current UTC Time in standard format
$timestamp = gmdate('Y-m-d H:i:s'); 

// 3. AES-256 requires a 32-byte key. Take first 32 chars of the Secret.
$aesKey = substr($apiSecret, 0, 32);

// 4. Encrypt the Timestamp (AES-256-ECB)
$encryptedTimestamp = openssl_encrypt(
    $timestamp, 
    'aes-256-ecb', 
    $aesKey, 
    0 // Returns base64 encoded string by default
);

// 5. Combine Public API Key and Encrypted Payload
$payloadString = $apiKey . '|' . $encryptedTimestamp;
$finalToken = base64_encode($payloadString);

// Send this in your API headers:
// headers: [ "Partner-Access-Token" => $finalToken ]

Making the API Request

Once you have generated the finalToken, you must include it in the headers of every API endpoint request.

Include it using the Partner-Access-Token header:

Partner-Access-Token: <your-generated-finalToken>

Example using fetch:

fetch('https://api.dev.onlynx.co.th/v1/endpoint', {
  method: 'GET',
  headers: {
    'Content-Type': 'application/json',
    'Partner-Access-Token': finalToken // The token generated above
  }
})
.then(response => response.json())
.then(data => console.log(data));

Important Note: The token expires 5 minutes after it is generated, so you must generate a fresh token dynamically right before you send an API request!