Required headers
Include the following headers with every request, except for /ping:| Header | Required | Description |
|---|---|---|
Content-Type | Yes | Must be application/json |
X-Processing-Key | Yes | Your API key |
X-Processing-Signature | Yes | HMAC-SHA512 signature of the request body, generated using your secret key |
How to generate the signature
Generate the signature from the exact JSON string sent in the request body:- Take the exact request body string that you are going to send.
- Use your secret key as the HMAC key.
- Compute the HMAC signature using the SHA-512 algorithm and encode the result as a lowercase hexadecimal string.
- Send that value in the
X-Processing-Signatureheader.
The signature must be generated from the exact request body sent to the API.If the body changes after signing, the request will be rejected.Make sure that:
- The JSON is not reformatted or pretty-printed after signing
- Field order does not change
- No extra whitespace or line breaks are added
- Your HTTP client does not modify the body before sending it
Verify your implementation
Generate a signature for the following JSON body usingAbCdEfG123456 as the secret key:
Common pitfalls
Most authentication errors are caused by differences between the signed body and the sent body. Check the following:- The JSON used for signing is identical to the JSON sent
- Field order has not changed
- No additional whitespace or line breaks were introduced
- Your HTTP client did not modify the request body
- The signature is hex-encoded (not Base64)
- Header names match exactly:
X-Processing-KeyX-Processing-Signature