Every new client will receive a dedicated Technical Sales Engineer (TSE) who will guide them through the integration and answer any question they might have β technical or otherwise.
Upon starting the onboarding, we will create a dedicated institution entity in our system to represent your organization. We will return you a unique ID for your institution, called the institutionID. It follows a digit hexadecimal code format such as: 69a1e097-d243-74d2-9545-5676eb5bed7b9
β οΈ (!) You will need your institutionβs unique ID in order to call our API.
π‘ We will also give you access to a dedicated API collection on Postman.
For advanced security reasons, we use an IP whitelisting mechanism to access the API. We will take care of whitelisting any IP that you give us. You have several options when it comes to the IPs:
- π Static IPs
- π IP ranges
- π Daily IP whitelisting link: Received automatically for fast manual testing
You can request the whitelisting of further IPs or IP ranges at any time.
In your API calls, you will need to set the variables baseUrl and baseUrlWebsites. These depend on the environment (UAT or Production), but are otherwise static:
ποΈ UAT:
BaseUrl: https://uat.api.nyala.de
BaseUrlWebsite: https://uat.vault.nyala.de
π Production:
BaseUrl: https://api.nyala.de
BaseUrlWebsite: https://vault.nyala.de
They are also set and displayed in your Postman API collection.
This API uses HMAC (Hash-based Message Authentication Code) for security. Every request must include an Authorization header containing a signature generated using your Secret Key.
| Header | Value |
|---|---|
Authorization | HMAC <API_KEY>:<SIGNATURE> |
Content-Length | The byte length of the request body |
The signature is a Base64 encoded HMAC-SHA256 hash. The "message" to be signed is constructed by concatenating the following strings in order:
- Content Length: The length of the request body (or "0" if empty).
- HTTP Method: (e.g.,
GET,POST,PATCH). - Normalized URL: The full URL, converted to lowercase, with the
?removed.
You can use this logic in your frontend or Node.js applications:
const msg = `${contentLength || 0}${method}${url.replace("?", "").toLowerCase()}`;
const hmac = CryptoJS.HmacSHA256(msg, apiSecret);
const signature = CryptoJS.enc.Base64.stringify(hmac);
const authHeader = `HMAC ${apiKey}:${signature}`;