I get the error {“code”:”1002″,”message”:”Authorization error: Full authentication is required to access this resource »}. What should I do?

The message {"code": "1002″, "message": "Authorization error: Full authentication is required to access this resource"} indicates an Authentication problem.

To use API-money, it's needed to be able to authenticate the user who initiated the request.


You can start with a simple GET request, without a "body", such as :

GET /accounts

This will also enable you to retrieve your Partner account identifier, already created in the system (cf. doc : https://www.api-money.com/docs/#Accountservices-Createanaccount-Standard & https://www.api-money.com/docs/#Overview-Authentication).

Below is a detailed example of query construction, with the following test parameters:

– sandbox URL : https://test-emoney-services.w-ha.com/dashboard/#/login
– api_access_key : k1rXpphkRG!2-Fox
– api_secret_key : E0!oYfVpA6-noiqGr-pT7AJ2ybT4r7lx
– version : 1


1°) First step : “StringToSign”

The first step is to construct the "message" to be signed.

StringToSign = api_access_key:timestamp:version:

Example :

> StringToSign = k1rXpphkRG!2-Fox:timestamp:1:

(above the :timestamp: value must contain a timestamp of a sequence of digits, like this :1672650133163: )



The timestamp (unix) designates the number of seconds elapsed since January 1, 1970 at midnight UTC (cf. http://www.timestamp.fr).

In API-money requests, you must indicate the timestamp (in milliseconds) corresponding to the moment your request is sent to the API-money platform.


2°) Second step: “Sign”

The second step consists of encoding the "Sign" in HMCA (SHA256) using the "message" to be signed (StringToSign) and the secret key (api_secret_key).
HMAC encoding ensures message integrity.

Sign = HMAC-SHA256(StringToSign, api_secret_key)
Sign = HMAC-SHA256(k1rXpphkRG!2-Fox:1672650133163:1:, E0!oYfVpA6-noiqGr-pT7AJ2ybT4r7lx)

Example :

> Sign = fdc93dee9a203b2a544e7bcc5f34918e89c547c2ee5503071482a9fbfb3e4e8e

You can check your HMAC calculation using, for example, the tool: https://www.freeformatter.com/hmac-generator.html#ad-output


 3°) Third step: Request (in theory)

All that remains is to generate and send the request to the platform URL:

GET /accounts

Header parameter:

Authorization: AUTH api_access_key:timestamp:version:Sign

Example :

URL endpoint : GET /accounts
> Header : Authorization : AUTH k1rXpphkRG!2-Fox:1672650133163:1:fdc93dee9a203b2a544e7bcc5f34918e89c547c2ee5503071482a9fbfb3e4e8e


4°) Fourth step: the Request (in practice)

To check that the request is working properly, you can run the following CURL command with your own credentials and add your timestamp and your Sign (encoded HMAC SHA256):

curl –location –request GET ‘https://test-emoney-services.w-ha.com/api/accounts’ \
–header ‘Authorization: AUTH odzAr67enYtX7vDdiLwdMYOTh6R4ZQUz:[Timestamp]:1:[Sign]’


WARNING: once the request has been prepared, it is only valid for 1 hour (the timestamp must not be more than 5 minutes old at time T of the request) in the test environment (sandbox)!


You should get a result like :

        “id”: “AB-0895358735216643”,
        “type”: “BUSINESS”,
        “status”: “ACTIVE”,
        “tag”: “account_type1”,
        “creation_date”: “2022-12-23T14:40:26+0100”,
        “kyc_level”: “LEVEL_1”
        “id”: “AS-5205597398211593”,
        “type”: “STANDARD”,
        “status”: “ACTIVE”,
        “tag”: “account_type1”,
        “creation_date”: “2022-12-23T14:20:37+0100”,
        “kyc_level”: “LEVEL_1”