# Calculating the Signature ## Calculating the Signature All the calls to our Deposits APIs will contain an `Authorization` field on the header used to ensure request integrity and to authenticate yourself since you will use your own secret key (API Signature) to generate and encrypt a hash. It has to be created using **HMAC-SHA-256 (RFC 2104)** encoding and the payload must include the following details: > [X-Date](https://apidocs.onekeypayments.com/api-reference/deposits-api/security-aspects/..#x-date) + [X-Login](https://apidocs.onekeypayments.com/api-reference/deposits-api/security-aspects/..#x-login) + `JSONPayload` {% hint style="success" %} Use your API Signature to generate the Authorization value {% endhint %} The `Authorization` field on the header of the requests will contain the string "OKP " plus the hash generated, in the following format: ``` Authorization: "OKP " + HMAC256(X-Date + X-Login + JSONPayload) ``` Example: ``` Authorization: OKP 223a9dd4784726f1536c926da7dc69155a57612c5c3c1e1b429c367a5eee67cf ``` ### Notes * The [`X-Login`](https://apidocs.onekeypayments.com/api-reference/deposits-api/security-aspects/..#x-login) is your login API Key, it can be retrieved from the Merchant Panel by going to\ Settings :arrow\_right: API Access :arrow\_right: Deposit credentials :arrow\_right: API Key. * The [`X-Date`](https://apidocs.onekeypayments.com/api-reference/deposits-api/security-aspects/..#x-date) is the date in ISO8601 Datetime with Timezone. Format expected: ISO8601 Datetime with Timezone: `yyyy-MM-dd'T'HH:mm:ssZ`. E.g.: `2020-06-21T12:33:20Z`. * The `Authorization` value is case sensitive and must include all the above mentioned values. * The `JSONPayload` is the exact same JSON you sent in the body of the request. * In case the `JSONPayload` value is empty (for example in the status or payment methods endpoints), use an empty string ("") instead. * The `JSONPayload` should be converted to UTF-8 before hashing it to prevent *Invalid Signature* error when sending characters with different encodings. #### Examples Check the examples in the different languages on how to properly calculate the Signature. {% tabs %} {% tab title="Java" %} ```java import java.io.ByteArrayOutputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; import java.util.Formatter; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; public static final String OKP_AUTHORIZATION_SCHEME = "OKP "; private static final String HMAC_SHA256 = "HmacSHA256"; public static String buildDepositKeySignature(String apiSignature, String xDate, String depositKey, String JSONPayload) throws NoSuchAlgorithmException, InvalidKeyException, IOException { byte[] hmacSha256 = null; Mac mac = Mac.getInstance(HMAC_SHA256); SecretKeySpec secretKeySpec = new SecretKeySpec(apiSignature.getBytes(StandardCharsets.UTF_8), HMAC_SHA256); mac.init(secretKeySpec); hmacSha256 = mac.doFinal(buildByteArray(xDate, apiKey, JSONPayload)); return OKP_AUTHORIZATION_SCHEME + toHexString(hmacSha256); } private static byte[] buildByteArray(String xDate, String apiKey, String JSONPayload) throws IOException { ByteArrayOutputStream bos = new ByteArrayOutputStream(); bos.write(xDate.getBytes(StandardCharsets.UTF_8)); bos.write(apiKey.getBytes(StandardCharsets.UTF_8)); if (JSONPayload != null) { bos.write(JSONPayload.getBytes(StandardCharsets.UTF_8)); } return bos.toByteArray(); } private static String toHexString(byte[] bytes) { Formatter formatter = new Formatter(); for (byte b : bytes) { formatter.format("%02x", b); } return formatter.toString(); } ``` {% endtab %} {% tab title="C#" %} ```csharp using System; using System.Text; using System.IO; using System.Security.Cryptography; namespace Application { class OKPExample { public readonly static string OKP_AUTHORIZATION_SCHEME = "OKP "; private readonly static string HMAC_SHA256 = "HmacSHA256"; public static String buildDepositKeySignature(String apiSignature, String xDate, String depositKey, String jsonPayload) { byte[] hmacSha256 = null; var apiSignatureEncod = Encoding.UTF8.GetBytes(apiSignature); var hash = new HMACSHA256(apiSignatureEncod); hmacSha256 = hash.ComputeHash(buildByteArray(xDate, depositKey, jsonPayload)); return OKP_AUTHORIZATION_SCHEME + toHexString(hmacSha256).ToLower(); } private static byte[] buildByteArray(String xDate, String apiKey, String jsonPayload) { try { MemoryStream stream = new MemoryStream(); var xDateEncod = Encoding.UTF8.GetBytes(xDate); var apiKeyEncod = Encoding.UTF8.GetBytes(apiKey); stream.Write(xDateEncod, 0, xDateEncod.Length); stream.Write(apiKeyEncod, 0, apiKeyEncod.Length); if (!string.IsNullOrWhiteSpace(jsonPayload)) { var jsonPayloadEncod = Encoding.UTF8.GetBytes(jsonPayload); stream.Write(jsonPayloadEncod, 0, jsonPayloadEncod.Length); } return stream.ToArray(); } catch (Exception ex) { throw ex; } } private static string toHexString(byte[] bytes) { return BitConverter.ToString(bytes).Replace("-", string.Empty); } } } ``` {% endtab %} {% tab title="PHP" %} ```php ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.