Signature Algorithm

Overview

The signature mechanism ensures:

1. Requests come from authenticated merchants
2. Request content has not been tampered with
3. Requests are recent (within 5 minutes)

Signature Format

The signature is calculated as follows:

Signature = Base64(HMAC-SHA256(SignatureString, API_SECRET))

SignatureString Construction Rules

POST/PUT/PATCH Requests (with request body)

SignatureString = timestamp + "\n" + method + "\n" + path + "\n" + SHA256(body)

Example:

1737554400000
POST
/api/v1/merchants/1000/orders
yYfqwR520ndbKk+W5i091jZF1n6sQ6LU9znNspprwKU=

GET/DELETE Requests (no request body)

SignatureString = timestamp + "\n" + method + "\n" + path

Example:

1737554400000
GET
/api/v1/merchants/1000/orders/M_ORD_123

GET Requests with Query Parameters

SignatureString = timestamp + "\n" + method + "\n" + path + "\n" + SHA256(queryString)

Important Notes:

• path does not include query parameters
• queryString needs to be hashed separately

Example:

1737554400000
GET
/api/v1/merchants/1000/orders/M_ORD_123
abc123hash...

Related Documentation

• Authentication Headers - Learn about request header setup
• Important Notes - Check signature calculation notes
• Postman Integration - See signature implementation in Postman
• Java Integration - See signature implementation in Java
• Python Integration - See signature implementation in Python