Authentication

All API requests require HMAC-SHA256 signature authentication.

Required Headers

Header	Description
`X-API-Key`	Your public API key (`pk_xxx...`)
`X-Timestamp`	Current Unix timestamp in milliseconds
`X-Signature`	HMAC-SHA256 signature of the request
`Content-Type`	`application/json`

Signature Generation

const crypto = require('crypto');

function signRequest(secretKey, method, path, body = {}) {
  const timestamp = Date.now().toString();

  // Step 1: Stringify and hash the body (use minified JSON)
  const bodyStr = JSON.stringify(body);
  const bodyHash = crypto.createHash('sha256').update(bodyStr).digest('hex');

  // Step 2: Build the payload
  const payload = `${timestamp}|${method}|${path}|${bodyHash}`;

  // Step 3: Derive HMAC key from secret (SHA256 of secretKey)
  const hmacKey = crypto.createHash('sha256').update(secretKey).digest('hex');

  // Step 4: Generate signature
  const signature = crypto.createHmac('sha256', hmacKey).update(payload).digest('hex');

  return { timestamp, signature, bodyStr };
}

// Example usage
const { timestamp, signature, bodyStr } = signRequest(
  'sk_your_secret_key',
  'POST',
  '/v1/payments',
  { type: 'transfer', fiatAmount: 10000, ... }
);

Security Notes

Timestamp Tolerance: Requests older than 5 minutes are rejected
Secret Key Hashing: We use SHA256(secretKey) as the HMAC key for additional security
Body Hashing: The request body is hashed to prevent tampering

Required Headers​

Signature Generation​

Security Notes​

Required Headers

Signature Generation

Security Notes