I’ve worked with a lot of DOT type data and I have to say Massachusetts takes the cake for a seemingly unnecessarily complicated authentication process. The processes is documented on their /auth-token API.

This endpoint is available to all authorized users. The content of the response is the same for all user groups. The Bearer signature generation that uses this token is performed as follows.

MADOT

Ok, here is the six, yes six step process to authenticate MASSDOT APIs:

Step 1: Concatenate the user’s secret key with the token provided herein, separated by a colon. (‘SecretKey:token’)

Step 2: Create a SHA256 hash of the concatenated string. (i.e. SHA256(secretKey:token))

Step 3: Convert the generated hash to a hexadecimal string representation

Step 4: Concatenate the user’s username with the hexadecimal hash, separated by a colon. (‘username:hexadecimalHash’)

Step 5: Create the base-64 string representation of the concatenation. (Base64(‘username:hexadecimalHash’))

Step 6: The result is the signature required for Bearer type authorization. (Authorization Bearer ‘generated signature’)

Btw, I provided this gist to MASSDOT in the event they want to link/share for other developers.