HMAC

Most core API calls are secured using the same HMAC approach as Amazon Web Service's Signature Version 4 signing process, see also http://security.stackexchange.com/questions/77372/unusual-design-aspects-of-aws-hmac-based-authentication-v4), except that whereas an AWS signature key is generated like this (see http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html)...

    static byte[] getSignatureKey(String key, String dateStamp, String regionName, String serviceName) throws Exception  {
         byte[] kSecret = ("AWS4" + key).getBytes("UTF8");
         byte[] kDate    = HmacSHA256(dateStamp, kSecret);
         byte[] kRegion  = HmacSHA256(regionName, kDate);
         byte[] kService = HmacSHA256(serviceName, kRegion);
         byte[] kSigning = HmacSHA256("aws4_request", kService);
         return kSigning;
    }

A TAS signature key for a core API call (in or out) is generated like this...

    static byte[] getSignatureKey(String key, String dateStamp) throws Exception  {
         byte[] kSecret = ("TAS4" + key).getBytes("UTF8");
         byte[] kDate    = HmacSHA256(dateStamp, kSecret);
         byte[] kSigning = HmacSHA256("tas4_request", kService);
         return kSigning;
    }

A correctly formed request will look like this for example (in this case a call to GET /routes)

    POST https://core.talentappstore.com/api/v1/routes HTTP/1.1
    Authorization: TAS4-HMAC-SHA256 Credential=jobboard/20150702/tas4_request, SignedHeaders=content-type;host;x-tas-date, Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c
    Host: core.talentappstore.com
    Content-type: application/json; charset=utf-8
    x-tas-date: 20150702T233600Z

    TODO: check the location of the URL

Additional formatting rules:

Header names must be lower cased when listed in SignedHeaders
The Credentials must contain the current date in UTC in "yyyyMMdd" format