Lazada API Signing Nuance

One of our clients wants to integrate their e-commerce app to Lazada. Lazada has two ways to integrate to their API, you can download and use their offical SDK or make HTTP calls. I often stay away from built-in SDKs as they usually not worth the headache. It’s just an additional layer that you have to wrestle with.

Like most API calls, you need to sign and include your signature as part your request. Part of the signature are the path, request parameters, and the handshake credentials (application key, secret key, and authorisation code).

So, using .NET’s native HttpClient client, I set the base URI:

https://api.lazada.com.ph/rest/ 

and the path of the API:

/auth/token/create

Then I attached the parameters together with the signature and made the call. First, I got a 404 error. Upon inspecting, the whole URL request looked like this:

https://api.lazada.com.ph/auth/token/create 

`/rest` was omitted. I dug a little and found out this little nuance on how HttpClient BaseUri works. So I adjusted accordingly.

BaseUri: https://api.lazada.com.ph/rest/ (with trailing slash)
Path: auth/token/create (no leading slash)

And it was a success! I got 200 this time. However, another curious error popped: “The request signature does not conform to lazada (sic) standards.” This is weird because I was confident that my signature was correct; it was their code. I took it directly from their documentation.

Turns out that the trailing slash in the path is the culprit. The API expects you to sign the path with trailing slash in it.