# Getting Started The Card API is organized around [REST](http://en.wikipedia.org/wiki/Representational_State_Transfer). Our API has predictable resource-oriented URLs, accepts [JSON-encoded](http://www.json.org/) request bodies, returns [JSON-encoded](http://www.json.org/) responses, and uses standard HTTP response codes, authentication, and verbs. \ All API uses API secret keys to authenticate requests. Any request that doesn't include an API key will return an error. ## Issuing API Credentials Generate an API secret key for signing requests (see the next section for how to sign requests with the API secret key):: \* Signature argorithm: ``` SHA1WithRSA ``` \ **First,** Run the following command line to generate an RSA 2048 private key (stored in muse\_secret.key):

//generate new private key
openssl req -new -newkey rsa:2048 -nodes -keyout muse_secret.key

//export public key from private key
openssl rsa -in muse_secret.key -pubout

{% hint style="info" %} Make sure you keep the API secret key safe and secure! {% endhint %} **Then go to the** [**dashboard**](https://agent.musepay.io) **and upload the public key.** MuseCard will use your public key to verify the API calls.

**Also remember to download MuseCard's public key** as you need to verify the notification from MuseCard API. ## Signing a Request All API calls must be authenticated. {% hint style="info" %} * all the fields should be sorted in *alphabetical order* by the *key* * *Empty* field should be exclude from the signature. * fields key name are case sensitive {% endhint %} For example： assume the raw data are below： ``` partner_id:200001 request_id:2022031620000900005143515921 nonce:5K8264ILTKCH16CQ2502SI8ZNMTM67VS ``` step 1: the data should be put in the format of 'key=value' ,and sorted in *alphabetical order* by the *key.* {% code overflow="wrap" %} ``` message="nonce=5K8264ILTKCH16CQ2502SI8ZNMTM67VS&partner_id=100001&request_id=2020031620000900005143515921" ``` {% endcode %} step 2: attach the api signature {% code overflow="wrap" %} ``` sign=Base64Utils.encodeToString(sign(message,privateKey)) ``` {% endcode %}

Code example（JAVA）

```java // Some code import org.springframework.util.Base64Utils; import java.security.KeyFactory; import java.security.PrivateKey; import java.security.Signature; import java.security.spec.PKCS8EncodedKeySpec; public static final String SIGN_ALGORITHMS = "SHA1WithRSA"; try { PKCS8EncodedKeySpec priPKCS8 = new PKCS8EncodedKeySpec(Base64Utils.decodeFromString(privateKey)); KeyFactory keyf = KeyFactory.getInstance("RSA"); PrivateKey priKey = keyf.generatePrivate(priPKCS8); Signature signature = Signature.getInstance(SIGN_ALGORITHMS); signature.initSign(priKey); signature.update(content.getBytes(inputCharset)); byte[] signed = signature.sign(); return Base64Utils.encodeToString(signed); } catch (Exception e) { e.printStackTrace(); } ```

Code example（Javascript）

````java ```javascript import { hex2b64, KJUR } from 'jsrsasign' import queryString from 'query-string' import Axios from 'axios' function buildCommonParams() { return { partner_id: this.partnerId, sign_type: 'RSA', timestamp: new Date().getTime(), nonce: new Date().getTime() } } function buildSignContent(params) { // console.log(`privateKey: `, this.privateKey) Object.keys(params).forEach(key => { if (!params[key]) { params[key] = undefined } }) params.sign = undefined return queryString.stringify(params, { encode: false }) } function sign(content) { console.log(`sign content: `, content) const sig = new KJUR.crypto.Signature({ 'alg': 'SHA1withRSA', 'prov': 'cryptojs/jsrsa', 'prvkeypem': `-----BEGIN PRIVATE KEY-----${this.privateKey}-----END PRIVATE KEY-----` }) // console.log(sig) sig.updateString(content) const signedHex = sig.sign() // console.log(signedHex) const result = hex2b64(signedHex) console.log(`result: `, result) return result } // example const data = Object.assign(this.buildCommonParams(), { currency }) const content = this.buildSignContent(data) data.sign = this.sign(content) return this.axios({ url: '/v1/carduser/creaate', method: 'post', data: data }) ``` ````

Code example（PHP）

````java ```php ``` ````

step 3: finally get the request data {% code overflow="wrap" %} ``` { "partner_id":"200001" "request_id":"2020031620000900005143515921" "nonce":"5K8264ILTKCH16CQ2502SI8ZNMTM67VS" "sign":"LP0WrOk2N++KfizhZOoU23giqqylH1YX7U0NGm+U86Cznvf/IwvNrUVV1FZFrBOvAXBOi0EhUv2zxHzUwutww4Iuu25+qLV1L4I+kjwkE+70B0uFfoowSpCnuvHJ8fzT3uy4+KwPQCfT+H/BYEoXlSTO6VnAUD3qs9l/aQLKZxT7iURgdxVnc+7K5JiaThZ+TqFTL3kaVDD12H2orznA/QAhiosqIZXvpj4BbsvZO/c92dwS18HJKB5+qFxOwU+bsgFz6La+7ZZEnfS9cgIB43qeNi7eIVHwOH+YddbN8t+QxNDCZAaAf6p9mX8OhsuBi93cJZwh52jqmoFluOJbww==" } ``` {% endcode %} ## IP Whitelisting \ MuseCard supports restriction of API calls to be accepted only from a specific IP address per API key. If you wish to whitelist your IP address, please contact our technical support with the IP of the machine running your API client and the matching API key.
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs-card.musepay.io/getting-started.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.