LogoLogo
  • OKP APIs
  • Getting Started with OKP
  • API Documentation
    • Deposits API
      • Technical and Security Aspects
        • Calculating the Signature
      • Endpoints
        • Deposit Creation Endpoint
          • Notifications
        • Transactional Account Endpoint
          • Understanding the Solution
        • PCI Deposit Creation Endpoint
        • Deposit Status Endpoint
        • Payment Methods Endpoint
        • Currency Exchange Endpoint
        • Crypto Exchange Endpoint
        • Country States Codes Endpoint
        • Refund Creation Endpoint
          • Notifications
        • Refund Status Endpoint
      • Payment Methods
        • 🌎America
          • 🇧🇷Brazil
            • PIX Biometric
      • API Codes
    • Cashouts API
      • Technical and Security Aspects
        • Calculating the Payload-Signature
      • Endpoints
        • Cashout Creation Endpoint
          • Notifications
        • Cashout Status Endpoint
        • Cashout Update Status Endpoint
        • Cashout Cancellation Endpoint
        • Cashout Bank Codes
      • Countries Validations
        • American Countries
          • 🇧🇷Brazil
      • API Codes
    • Subscriptions API
      • Technical and Security Aspects
        • Calculating the Signature
      • Subscription Creation Endpoints
        • OneShot Subscription Creation
        • PCI Subscription Creation Endpoint
        • Notifications
      • Subscription Cancellation Endpoint
      • Subscription Status Endpoint
    • Quickpay
      • Endpoints
        • Deposit creation endpoint
          • Notifications
        • Deposit status endpoint
    • Bank Account Validation
      • Technical and Security Aspects
        • Calculating the Signature
      • Endpoints
        • Bank Account Validation Endpoint
          • Pix Key Validation and Details Endpoint
      • API Codes
    • KYC API
      • Technical and Security Aspects
        • Calculating the Signature
      • KYC Endpoint
      • API Codes
  • Deposits Tools
    • Cards SDK
      • With User Interface
        • 🚀Color Customization
      • Without User Interface
    • Java SDK
    • PHP SDK
  • Knowledge Base
    • Deposits with Cards SDK
      • With User Interface
      • Without User Interface
    • Countries Specifications
  • PLUGINS
    • WooCommerce
      • Installation
      • Configuration
  • Status Page
Powered by GitBook
On this page
  • Calculating the Signature
  • Examples
  1. API Documentation
  2. KYC API
  3. Technical and Security Aspects

Calculating the Signature

Learn how to calculate and send the Signature header value to verify requests integrity

PreviousTechnical and Security AspectsNextKYC Endpoint

Last updated 6 months ago

Calculating the Signature

All the calls to this API will contain an Authorization field on the header used to ensure request integrity and to authenticate yourself since you will use your own secret key (API Signature) to generate and encrypt a hash.

It has to be created using HMAC-SHA-256 (RFC 2104) encoding and the payload must include the following details:

+ + JSONPayload

Use your to generate the Authorization value

The Authorization field on the header of the requests will contain the string "D24 " concatenated to the hash generated, in the following format:

Authorization: "D24 " + HMAC256(X-Date + X-Login + JSONPayload)

Example:

Authorization: D24 223a9dd4784726f1536c926da7dc69155a57612c5c3c1e1b429c367a5eee67cf

Notes

The is your login API Key, it can be retrieved from the Merchant Panel by going to Settings -> API Access -> Deposit credentials -> API Key.

The is the date in ISO8601 Datetime with Timezone. Format expected: ISO8601 Datetime with Timezone: yyyy-MM-dd'T'HH:mm:ssZ. E.g.: 2020-06-21T12:33:20Z.

The Authorization value is case sensitive and must include all the above mentioned values.

The JSONPayload is the exact same JSON you sent in the body of the request.

In case the JSONPayload value is empty (for example in the status or payment methods endpoints), use an empty string ("") instead.

The JSONPayload should be converted to UTF-8 before hashing it to prevent Invalid Signature error when sending characters with different encodings.

Examples

Check the examples in the different languages on how to properly calculate the Signature.

JavaC#PHPCopy

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Formatter;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public static final String D24_AUTHORIZATION_SCHEME = "D24 ";

private static final String HMAC_SHA256 = "HmacSHA256";

public static String buildCashoutKeySignature(String apiSignature, String xDate, String depositApiKey, String JSONPayload)
      throws NoSuchAlgorithmException, InvalidKeyException, IOException {
   byte[] hmacSha256 = null;
   Mac mac = Mac.getInstance(HMAC_SHA256);
   SecretKeySpec secretKeySpec = new SecretKeySpec(apiSignature.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);
   mac.init(secretKeySpec);
   hmacSha256 = mac.doFinal(buildByteArray(xDate, depositApiKey, JSONPayload));
   return D24_AUTHORIZATION_SCHEME + toHexString(hmacSha256);
}

private static byte[] buildByteArray(String xDate, String depositApiKey, String JSONPayload) throws IOException {
   ByteArrayOutputStream bos = new ByteArrayOutputStream();
   bos.write(xDate.getBytes(StandardCharsets.UTF_8));
   bos.write(depositApiKey.getBytes(StandardCharsets.UTF_8));
   if (JSONPayload != null) {
      bos.write(payload.getBytes(StandardCharsets.UTF_8));
   }
   return bos.toByteArray();
}

private static String toHexString(byte[] bytes) {
   Formatter formatter = new Formatter();
   for (byte b : bytes) {
      formatter.format("%02x", b);
   }
   return formatter.toString();
}

You can also check the code of our SDKs in and to see how it is calculated.

Java
PHP
X-Date
X-Login
X-Login
X-Date
API Signature