# Calculating the Payload-Signature ## Calculating the Signature All calls to our Cashouts APIs must contain a `Payload-Signature` field on the header used to ensure request integrity and to authenticate yourself since you will use your own API Signature (secret key) to generate and encrypt a hash. It has to be created using **HMAC-SHA-256 (RFC 2104)** encoding and the payload is made of the entire JSON Payload sent in the body of the requests and notifications. {% hint style="success" %} Use your API Signature to create the HASH {% endhint %} The `Payload-Signature` field on the header of the requests will contain the hash generated from hashing the entire JSON Payload: > Payload-Signature: HMAC256(jsonPayload) Example: > Payload-Signature: 223a9dd4784726f1536c926da7dc69155a57612c5c3c1e1b429c367a5eee67cf ### Notes The `Payload-Signature` value is case sensitive and must be sent in lower case. In case the `jsonPayload` value is empty, use an empty string instead. The `jsonPayload` should be converted to UTF-8 before hashing it to prevent `Invalid Signature` error when sending characters with different encodings. ## Examples Check the examples below on how to calculate the `Payload-Signature`. {% tabs %} {% tab title="Java" %} ```java import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.net.util.Base64; String json_payload = "{ \"login\": \"cashout_API_Key\", \"pass\": \"cashout_API_Passphrase\", \"external_id\": \"123456789\", \"document_id\": \"1234567899\", \"document_type\": \"\", \"cashout_type\": \"BANK\", \"beneficiary_name\": \"Test User\", \"beneficiary_lastname\": \"Test User\", \"country\": \"MX\", \"amount\": 2000, \"currency\": \"MXN\", \"email\": \"test@test.com\", \"notification_url\": \"http:\\/\\/onekeypayments.com\\/notification\", \"bank_code\": \"072\",\"bank_branch\": \"\", \"bank_account\": \"1234567890\", \"account_type\": \"C\", \"address\": \"\"}"; String secretKey = "cashout_secret_key"; Mac hasher = Mac.getInstance("HmacSHA256"); hasher.init(new SecretKeySpec(secretKey.getBytes(), "HmacSHA256")); String payload_signature = Base64.encodeBase64String(hasher.doFinal(json_payload.getBytes())).toLowerCase(); ``` {% endtab %} {% tab title="PHP" %} ```csharp ``` {% endtab %} {% tab title="C#" %} ```php using System; using System.Text; using System.Security.Cryptography; string jsonPayload = "{ \"login\": \"cashout_API_Key\", \"pass\": \"cashout_API_Passphrase\", \"external_id\": \"123456789\", \"document_id\": \"1234567899\", \"document_type\": \"\", \"cashout_type\": \"BANK\", \"beneficiary_name\": \"Test User\", \"beneficiary_lastname\": \"Test User\", \"country\": \"MX\", \"amount\": 2000, \"currency\": \"MXN\", \"email\": \"test@test.com\", \"notification_url\": \"http:\\/\\/www.onekeypayments.com\\/notification\", \"bank_code\": \"072\",\"bank_branch\": \"\", \"bank_account\": \"1234567890\", \"account_type\": \"C\", \"address\": \"\"}"; string secretKey = "cashout_secret_key"; byte[] keyByte = new ASCIIEncoding().GetBytes(secretKey); byte[] jsonPayloadBytes = new ASCIIEncoding().GetBytes(jsonPayload); byte[] hashmessage = new HMACSHA256(keyByte).ComputeHash(jsonPayloadBytes); string payloadSignature = BitConverter.ToString(hashmessage).Replace("-", "").ToLower(); ``` {% endtab %} {% endtabs %}