Notice of PrintOS API Security Change

To continue providing secure access to your organization’s PrintOS data HP is increasing the level of security required to access the external PrintOS APIs.
The change, that will take effect on March 30th 2022, will most likely require some minor software development changes to any application that currently calls the PrintOS APIs. The technical details of this change are described below.

This alert is relevant for you if you, your software partner or your software organization have developped a connector in the PrintOS marketplace to authenticate to one or more of the following applications APIs:

  • PrintOS Print Beat API (including Color Beat and OEE)
  • PrintOS Print Beat Jobs API
  • PrintOS Composer API
  • PrintOS Box API
  • PrintOS Supplies Inventory Management API
  • Some HP Site Flow services

To prevent any interruption of services to these APIs, please implement the required change as soon as possible, in the next few weeks.

If you are using a 3rd party solution which is making calls to one or more of these APIs please contact the solution’s vendor to ensure implementing the change on time. 

If you, or your solution’s vendor, have any questions or concerns about this change please contact:

Technical Details of the upcoming change:

In order to authenticate with PrintOS for any external API calls an authorization HMAC must be generated by the software making the API call.
Currently this HMAC can be generated using either the SHA1 or SHA256 cryptographic hash algorithms. However, due to potential security concerns with the SHA1 algorithm, as of March 30th 2022 this method of authentication will not be supported.
All applications using PrintOS APIs must use the SHA256 hash algorithm moving forward. Any API traffic attempting to use SHA1 will fail to authenticate and receive a 400 Not Authorized

Changing from SHA1 to SHA256 requires 2 relatively minor changes:

  1. The algorithm used to generate the hash by the application must be changed from SHA1 to SHA256.
  2. An HTTP header named ‘x-hp-hmac-algorithm’ with the value of ‘SHA256’ must be sent with each API call.

Additional details on this authentication method can be found here: https://developers.hp.com/printos-hp-indigo-integration-hub/doc/printos-api-authentication
SHA256 based authentication is currently supported, so this change should be made as soon as possible.
The PrintOS team is working to update the current code samples in our GitHub repository. If you are currently using one of these code samples please let us know so we can prioritize that update.