This section provides more clarity on how to generate signatures
Overview
For all non authentication POST requests, a signature needs to be generated for the intended payload. We do this so that we can validate that API requests have not been tampered with.
Signature Description
The signature is a hex encoded HMAC-SHA256 and is generated and sent using the X-SIGNATURE HTTP request header.
The signature can be generated using the following steps:
- Prepare the Payload - The payload string is made up of two parts:
- Timestamp - Generate a timestamp in ISO-8601 format.
- Request JSON - Use the exact JSON that is sent to the server
- Create the Payload String - Concatenate the timestamp with the request JSON
- Generate HMAC-SHA256
- Use the payload string as the HMAC key.
- Use the Signing Key (which is obtained from Configuring API Credentials) as the data to sign the payload. Ensure that the HMAC result is in lowercase (some languages return this by default).
Timestamp
The same timestamp of this request will also be expected to be sent in the X-Timestamp HTTP Header alongside the X-Signature when submitting API requests to the Pay1st Gateway.
Test Cases
The following table can be used as test cases to check for the correctness of the signature
| Property | Value |
|---|---|
| Expected Signature | 85aa0862aa052f737d3cf4d38f92091ea7c015e782d207ea18cc5641d3e47755 |
| Timestamp | 2025-03-17T08:10:52.544247646Z |
| Signing Key | hCyO_Flnu6aid-bhFYTYOowkxXRzoZkgzO32rB6Ik8Y |