1. Create an API key
Log into the customer portal under "Reseller API" and create a key. Only enable the scopes you actually need (default is read-only). The secret is shown exactly once, store it safely in your secret manager.
2. Store the credentials
Save key and secret as environment variables. Never in code, never in a repository.
# .env or shell profile
export KH_KEY="kh_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
export KH_SECRET="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"3. Send your first request
List the available products. The signature is built over method, path, timestamp, nonce and body hash.
TS=$(date +%s)
NONCE=$(openssl rand -hex 16)
BODY_SHA256=$(printf '' | openssl dgst -sha256 -hex | awk '{print $2}')
SIG_INPUT=$(printf 'GET\n/v1/products\n%s\n%s\n%s' "$TS" "$NONCE" "$BODY_SHA256")
SIG=$(printf '%s' "$SIG_INPUT" | openssl dgst -sha256 -hmac "$KH_SECRET" -hex | awk '{print $2}')
curl https://www.kernelhost.com/cp/kh_reseller_api/v1/products \
-H "KH-Key: $KH_KEY" \
-H "KH-Timestamp: $TS" \
-H "KH-Nonce: $NONCE" \
-H "KH-Signature: $SIG"4. Place an order
Important: POST /v1/orders requires an Idempotency-Key. On network retry with the same key you get the same response back, no double order.
BODY='{"product_id":42,"billing_cycle":"monthly"}'
BODY_SHA256=$(printf '%s' "$BODY" | openssl dgst -sha256 -hex | awk '{print $2}')
TS=$(date +%s)
NONCE=$(openssl rand -hex 16)
IDEM=$(openssl rand -hex 16)
SIG_INPUT=$(printf 'POST\n/v1/orders\n%s\n%s\n%s' "$TS" "$NONCE" "$BODY_SHA256")
SIG=$(printf '%s' "$SIG_INPUT" | openssl dgst -sha256 -hmac "$KH_SECRET" -hex | awk '{print $2}')
curl -X POST https://www.kernelhost.com/cp/kh_reseller_api/v1/orders \
-H "KH-Key: $KH_KEY" \
-H "KH-Timestamp: $TS" \
-H "KH-Nonce: $NONCE" \
-H "KH-Signature: $SIG" \
-H "Idempotency-Key: $IDEM" \
-H "Content-Type: application/json" \
--data "$BODY"5. Set up a webhook (optional)
Register an HTTPS URL per key to receive events asynchronously (order.paid, service.provisioned, invoice.created). Payload signature follows the Stripe scheme.
