...
It is important to note that this authentication method also requires the HTTP header called ‘timestamp’ which must hold the exact value that is used in the first step in above table. For the above example a Service Consumer would set the following two HTTP headers in each request to utilse utilise the SIF HMAC/SHA1 authentication method:
...
If the timestamp HTTP header is not provided then authentication on the Service Provider must fail. The Service Provider must respond with an HTTP Error Status of 401 (Not Authorized).
Another advantage this authentication method offers is that the <credentials> are different for each service consumer request because the timestamp used to generate the <credentials> token should be different for each request. Since the timestamp is also required in a HTTP header the service provider can check if the <credentials> are “exprired” (eg. older than 5 minutes) and return a HTTP Error Status of 401 if it is expired. This will also avoid a “replay” of a request of an unauthorised source in case where an unauthorised source should have gotten hold of the <credentials> token at some stage.
...