Security

All requests to the Payouts API must be signed and the signature included in the Payload-Signature request header for them to be accepted.

The signature must be calculated using the request payload as the data to be hashed and the merchant secret key as the hashing key, using the HMAC SHA256 algorithm. The resulting signature should be provided to the Payouts API in hexadecimal lowercase format.

The following PHP code snippet describes an example signature calculation:

Signature calculation example

$secretKey = 'xxxxxxxxxxx';
$requestPayload = { … }
$signature = hash_hmac('sha256', $requestPayload, $secretKey, false)

You can find your secret key in the Merchant Panel, under the Integration > Credentials & Settings section.

We recommend testing your generated signature using the Get Exchange Rate call, to make sure your signature is working before moving forward with the integration.