Server returned HTTP response code: 504 for URL: https://cdn-api.co-vin.in/api/v2/auth/validateMobileOtp

[raviprasa18]

This code was working till yesterday night. From morning it stopped working. Even with the postman, I am getting a simimiar error a timeout error.

Only this URL it fails ; https://cdn-api.co-vin.in/api/v2/auth/validateMobileOtp How ever the URL https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP works fine , I get the {"txnId":"81800839-61a8-4174-b6c7-268a6623fed6"} and get the SMS correctly.

If try the same API from the browser it works fine. Even the same problem comes up on the Oracle Cloud machine I have. Are my IP's blocked?

This is the PostMan log file

POST /api/v2/auth/validateMobileOtp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept: / Postman-Token: ca6bc5e7-5c2a-4425-937f-7ed41500c289 Host: cdn-api.co-vin.in Content-Length: 133

{ "otp": "5dbda38d67123c4cae7884286ad86d28398c6fa86e5b5f83904b429bf353d10c", "txnId": "b1bce381-ce92-4f25-bb7f-8128ab7c62c7" }

HTTP/1.1 504 Gateway Timeout Content-Type: application/json Content-Length: 41 Connection: keep-alive Date: Tue, 25 May 2021 10:37:54 GMT x-amzn-RequestId: 2bd7630c-1b09-460b-a0bd-d1e89003cda4 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token x-amzn-ErrorType: InternalServerErrorException x-amz-apigw-id: f4X34Eu4hcwFsbw= Access-Control-Allow-Methods: DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT X-Amzn-Trace-Id: Root=1-60acd365-4892e0e15816c2b7713df2aa X-Cache: Error from cloudfront Via: 1.1 2637c2e46ac25528bd5f20a1b0d126eb.cloudfront.net (CloudFront) X-Amz-Cf-Pop: CCU50-C2 X-Amz-Cf-Id: WfxZVeyVeIuAolThkG3LfeaJ6Vcla76n29os3wnjmuZfn39oZWZxUQ==

{"message": "Endpoint request timed out"}

[amartya-s]

/generateMobileOTP is protected API and is used only by CoWIN website. Nowhere in api-setu portal does it mention about this API. Further, if you inspect the request payload while logging in using CoWIN website, they pass a secret key, which earlier was a fixed token and I was able to use the API using that token. However, it seems there's been an update yesterday, and now the secret token changes on every API call. The protected API section of api-setu says [Updated on 25 May 2021]. So, there's been an update yesterday and it seems we can't use this API anymore to login.

/generateMobileOTP payload when tried from CoWIN website: {"secret":"U2FsdGVkX18Zc8wJNqTsxWFwK6COcDeyl8vRAaLWsrNzgm54RqJvpRVUeD1***P1CpH6jtgbXJNFstm5A==","mobile":***}

[raviprasa18]

Thank you, Amartya. You are right, Now I started using https://cdn-api.co-vin.in/api/v2/auth/public/generateOTP and https://cdn-api.co-vin.in/api/v2/auth/public/confirmOTP , with this I am able to generate the JWT token.

[amartya-s]

Hi ravi, Are you able to authenticate successfully using those ? I'm not able to. Even if I'm able to get the OTP but the second call to confirmOTP returns unauthenticated error.

[raviprasa18]

Hi Amartya,

it is working fine. This is my java code.

public static String validateMobileOtp (String otp, String txnId) throws Exception {

    String jsonOutput="";
    // curl -X POST "https://cdn-api.co-vin.in/api/v2/auth/public/confirmOTP" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"otp\":\"8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92\",\"txnId\":\"3fa85f64-5717-4562-b3fc-2c963f66afa6\"}"
    URL url = new URL ("https://cdn-api.co-vin.in/api/v2/auth/public/confirmOTP");
    HttpURLConnection con = (HttpURLConnection)url.openConnection();
    con.setRequestMethod("POST");
    con.setRequestProperty("Content-Type", "application/json");
    con.setRequestProperty("Accept-Language", "en-US,en;q=0.5");
    con.setRequestProperty("Cache-Control", "no-cache");
    con.setRequestProperty("Host", "cdn-api.co-vin.in");
    con.setRequestProperty("Pragma", "no-cache");
    con.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66");
    con.setRequestProperty("TE", "Trailers");
    con.setRequestProperty("Accept", "application/json");
    con.setDoOutput(true);

    String jsonInputString = "{\n" + 
    "  \"otp\": \""+otp+"\",\n" + 
    "  \"txnId\": \""+txnId+"\"\n" + 
    "}";

    System.out.println(" Json Value  Before in " + jsonInputString);

    byte[] postDataBytes = jsonInputString.toString().getBytes("UTF-8");
    con.setRequestProperty("Content-Length", String.valueOf(postDataBytes.length));

    try(OutputStream os = con.getOutputStream()) {

        os.write(postDataBytes, 0, postDataBytes.length);                   
    }

    Reader in = new BufferedReader(new InputStreamReader(con.getInputStream(), "UTF-8"));

    StringBuilder sb = new StringBuilder();
           for (int c; (c = in.read()) >= 0;)
               sb.append((char)c);
           jsonOutput  = sb.toString();

    return jsonOutput;

}

[amartya-s]

Which API are you using to generateOTP ? '/v2/auth/generateOTP' gives me 403 unauth error. I'm able to however generate using the '/v2/auth/generateMobileOTP' api. But when I call '/v2/auth/confirmOtp' with the otp_hash and txn_id, I again get a 403 unauthenticated error.

[raviprasa18]

I am using https://cdn-api.co-vin.in/api/v2/auth/public/generateOTP to generate OTP.

[shekharkumar86]

where can i find secret key for generateOTP API I am using this link : https://cdndemo-api.co-vin.in/api/v2/auth/public/generateOTP

response : { "mobile": "9716221243", "secret":"ddfsss" }

Please help me.

[shekharkumar86]

Which API are you using to generateOTP ? '/v2/auth/generateOTP' gives me 403 unauth error. I'm able to however generate using the '/v2/auth/generateMobileOTP' api. But when I call '/v2/auth/confirmOtp' with the otp_hash and txn_id, I again get a 403 unauthenticated error.

please tell how can you solve this issue for "/v2/auth/generateMobileOTP" API. i am getting same error. Please help

[shekharkumar86]

/generateMobileOTP is protected API and is used only by CoWIN website. Nowhere in api-setu portal does it mention about this API. Further, if you inspect the request payload while logging in using CoWIN website, they pass a secret key, which earlier was a fixed token and I was able to use the API using that token. However, it seems there's been an update yesterday, and now the secret token changes on every API call. The protected API section of api-setu says [Updated on 25 May 2021]. So, there's been an update yesterday and it seems we can't use this API anymore to login.

/generateMobileOTP payload when tried from CoWIN website: {"secret":"U2FsdGVkX18Zc8wJNqTsxWFwK6COcDeyl8vRAaLWsrNzgm54RqJvpRVUeD1***P1CpH6jtgbXJNFstm5A==","mobile":***}

from where you are getting secret key?

[amartya-s]

I am using https://cdn-api.co-vin.in/api/v2/auth/public/generateOTP to generate OTP.

That's weird buddy. What all headers are you passing in ? My payload for the POST call is: {'mobile': '**'} Below is how I'm calling it. I've printed the headers and the response: https://cdn-api.co-vin.in/api/v2/auth/public/generateOTP {'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'Connection': 'keep-alive', 'Content-type': 'application/json', 'Accept-Language': 'en-US,en;q=0.5', 'Cache-Control': 'no-cache', 'Host': 'cdn-api.co-vin.in', 'Pragma': 'no-cache', 'TE': 'Trailers', 'x-api-key': '3sjOr2rmM52GzhpMHjDEE1kpQeRxwFDr4YcBEimi'} b'Unauthenticated access!'

[amartya-s]

/generateMobileOTP is protected API and is used only by CoWIN website. Nowhere in api-setu portal does it mention about this API. Further, if you inspect the request payload while logging in using CoWIN website, they pass a secret key, which earlier was a fixed token and I was able to use the API using that token. However, it seems there's been an update yesterday, and now the secret token changes on every API call. The protected API section of api-setu says [Updated on 25 May 2021]. So, there's been an update yesterday and it seems we can't use this API anymore to login. /generateMobileOTP payload when tried from CoWIN website: {"secret":"U2FsdGVkX18Zc8wJNqTsxWFwK6COcDeyl8vRAaLWsrNzgm54RqJvpRVUeD1***P1CpH6jtgbXJNFstm5A==","mobile":***}

from where you are getting secret key?

From inspecting call made from CoWIN website. But don't worry it's of no use. You won't be able to use it, as it's a dynamically generated key at client level.

[shekharkumar86]

https://cdndemo-api.co-vin.in/api/v2/auth/public/confirmOTP is o not working

{ "otp": "3D9CCD98E0B10179BBCC3322918218F5B2D8245E318BCCA215D1D12E83EDA1B1d", "txnId": "b11ae5fe-9b74-41fd-99e6-d6f1c4cecfdbd" } RESP: { "errorCode": "USRAUT0014", "error": "Invalid OTP" }

Please help

[trkailash]

anyone else having issue with protected api validateMobileOtp ? any id-ed solutions for the moment?

[vsingal-p]

No luck

[big89]

On https://apisetu.gov.in/public/api/cowin API portal, Public APIs are open for all, Protected APIs are not open without API Key. This are provided for official use after registration.

Also, API calls inspected from https://selfregistration.cowin.gov.in/ portal are different and unofficial.

@shekharkumar86 otp can be hashed using https://emn178.github.io/online-tools/sha256.html in confirmOTP API call.