Security

How to make safe payment requests.

All requests to the Payouts API must be signed and the signature included in the Payload-Signature request header for them to be accepted.

Signature

How does it work

The signature must be calculated using the request payload as the data to be hashed and the merchant secret key as the hashing key, using the HMAC SHA256 algorithm. The resulting signature should be provided to the Payouts API in hexadecimal lowercase format.

Signature calculation example

The following codes describe an example signature calculation.

Our GitHub repository hosts a variety of signature examples, which can be a valuable resource for understanding implementation details and for reference in your development process.

Check out signature examples on GitHub >

$secretKey = 'xxxxxxxxxxx';
$requestPayload = { … }
$signature = hash_hmac('sha256', $requestPayload, $secretKey, false)
static string GenerateHMACSHA256Signature(string payload, string secretKey)
    {
        byte[] keyBytes = Encoding.UTF8.GetBytes(secretKey);
        byte[] payloadBytes = Encoding.UTF8.GetBytes(payload);

        using (var hmacsha256 = new HMACSHA256(keyBytes))
        {
            byte[] hashBytes = hmacsha256.ComputeHash(payloadBytes);
            return BitConverter.ToString(hashBytes).Replace("-", "").ToLower();
        }
    }

Do not forget to use your Secret key for masking your signature. Read more information in the Get your API test credentials section.


ℹ️

Signature testing

We strongly suggest testing your generated signature by using the Get Exchange Rate call, to make sure your signature is working before moving forward with the integration.