# Customer API

The Customer API is a REST via HTTPS interface. You can use it to create a new customer (investor) entity in our system, to save their KYC data, request wallet openings, whitelist customers (= authorize them to hold a specific token) and to send order data.

> ℹ️ For API clients, integrating with our Customers API is the minimum level of integration required, since customers / investors cannot be created manually in our system.


As a prerequisite to the NYALA API integration, you must already have built the following functions in your interface:

1. An API endpoint to transmit AML/KYC data, the Investor’s investment amount and
number of tokens to NYALA.
2. An interface to display crypto wallet information (e.g. a link to view wallet in the
blockchain explorer).
3. An interface (e.g. a digital postbox) to share mandatory registry extracts with your Investors.


## Tokenization API sequence diagram

The following steps detailed in this chapter’s sub-pages **must be followed in order**.

IMAGE

Skipping a step of the process will likely result in an error.

## Authentication

This API uses **HMAC (Hash-based Message Authentication Code)** for security. Every request must include an `Authorization` header containing a signature generated using your Secret Key.

### Headers

| Header | Value |
|  --- | --- |
| `Authorization` | `HMAC <API_KEY>:<SIGNATURE>` |
| `Content-Length` | The byte length of the request body |


### Signature Calculation

The signature is a Base64 encoded HMAC-SHA256 hash. The "message" to be signed is constructed by concatenating the following strings in order:

1. **Content Length**: The length of the request body (or "0" if empty).
2. **HTTP Method**: (e.g., `GET`, `POST`, `PATCH`).
3. **Normalized URL**: The full URL, converted to lowercase, with the `?` removed.


### JavaScript Example

You can use this logic in your frontend or Node.js applications:


```javascript
const msg = `${contentLength || 0}${method}${url.replace("?", "").toLowerCase()}`;
const hmac = CryptoJS.HmacSHA256(msg, apiSecret);
const signature = CryptoJS.enc.Base64.stringify(hmac);
const authHeader = `HMAC ${apiKey}:${signature}`;
```