HomeGuidesAPI ReferenceStatus Page
API Reference

Security

How to make safe payment requests.

All Payouts API requests must use specific information and follow certain security protocols. This section provides a comprehensive guide to payout security requirements, including the necessary endpoints and their signatures.


Security considerations

When implementing security measures for payouts, it is important to note that some endpoints share security protocols with those used in Payins.


Endpoint-specific security requirements can be verified on their respective documentation pages.


For detailed information on these shared security protocols, please refer to the Payins Security page.


Signature: How does it work

Payload signature

The signature must be calculated using the request payload as the data to be hashed and the merchant secret key as the hashing key, using the HMAC SHA256 algorithm. The resulting signature should be provided to the Payouts API in hexadecimal lowercase format.

Signature calculation example

The following codes describe an example signature calculation.

Our GitHub repository hosts a variety of signature examples, which can be a valuable resource for understanding implementation details and for reference in your development process.

Check out signature examples on GitHub > 


$secretKey = 'xxxxxxxxxxx';
$requestPayload = { … }
$signature = hash_hmac('sha256', $requestPayload, $secretKey, false)

static string GenerateHMACSHA256Signature(string payload, string secretKey)
    {
        byte[] keyBytes = Encoding.UTF8.GetBytes(secretKey);
        byte[] payloadBytes = Encoding.UTF8.GetBytes(payload);

        using (var hmacsha256 = new HMACSHA256(keyBytes))
        {
            byte[] hashBytes = hmacsha256.ComputeHash(payloadBytes);
            return BitConverter.ToString(hashBytes).Replace("-", "").ToLower();
        }
    }

Do not forget to use your Secret key for masking your signature. Read more information in the Get your API test credentials section.

Signature testing

We strongly suggest testing your generated signature by using the Get Exchange Rate call, to make sure your signature is working before moving forward with the integration

© 2024 DLOCAL. ALL RIGHTS RESERVED

Dlocal LLP (Company Number UK OC413287) is a limited liability partnership incorporated in England and Wales. DLocal Limited (Company Registration Number C77538) is authorised by the Malta Financial Services Authority under the Financial Institutions Act for the issuance of electronic money and the provision of payment services. Dlocal Corp LLP (Company Number UK OC 424987) is registered as a Money Service Business (MSB) with Financial Crime Enforcement Network in United States of America (USA) under MSB Registration Numbers 31000193620515. Dlocal Corp LLP acts as agent of e-commerce merchants based in the USA, and collects payments from end users based in emerging markets, on behalf of the merchants.