Introduction

All requests to our payment integrations (whether via the API or hosted solutions) require the use of a hash, also referred to as a message signature. This makes use of not only your api key, but your API secret (also available in the portal) to add an extra layer of security to requests and prevent man-in-the-middle attacks.

The high-level idea is that for every request, you must:

• Combine your api key and some request data into a single string
• Hash the string using the HMAC SHA256 method and your secret key
• Add the hash to your request

The rest of this page goes into step-by-step detail on how to do this for each integration method.

Payments API

Message Signature Header

When calling the Payments API, Checkouts and Payment Links endpoints, this is the method that must be used; generating the hash and attaching it as the Message-Signature header along with the Timestamp and Client-Request-Id headers.

For full detail on how to do this, our best resource is the following recipe: