How to access/document a private HMAC-secured API for Odoo SaaS middleware integration? [closed]

We are working on an Odoo SaaS integration project where an external middleware service needs to fetch orders from a third-party ecommerce platform called PipesSpace.

The API endpoint provided in the FSD document is:

https://www.pipesspace.com/adminapi/odoo/v1/financeOrder

When accessing the endpoint directly, we receive:

{ "code": 401, "message": "Request error, please try again later!", "data": null }

Based on the technical specification, the API uses HMAC-SHA256 authentication with headers like:

X-Odoo-Key X-Odoo-Timestamp X-Odoo-Nonce X-Odoo-Signature

The integration architecture is:

PipesSpace API ↓ Middleware Scheduler ↓ Authentication ↓ Fetch Orders ↓ Normalize Data ↓ Duplicate Check ↓ Odoo SaaS

The challenge is:

There is no public API documentation available.

No Swagger/OpenAPI/Postman collection found.

Browser Network tab only exposes frontend APIs, not the protected integration API.

We currently do not have API credentials or sample payloads.

Questions:

Is it normal for enterprise/private integrations to completely hide API documentation publicly?

Is there any reliable way to inspect/discover backend API structures without official credentials?

For HMAC-secured APIs, is obtaining official API documentation and credentials from the vendor the only practical approach?

Any recommendations for validating such integrations during the R&D phase before vendor access is granted?

Tech Stack:

Odoo 19 SaaS

Python FastAPI middleware

APScheduler

XML-RPC / JSON-RPC

HMAC-SHA256 authentication