> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cryptoprocessing.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

Learn how to authenticate API requests and avoid common setup issues.

## Required headers

Include the following headers with every request, except for [/ping](/api-reference/endpoints/ping):

| Header                   | Required | Description                                                                |
| :----------------------- | :------- | :------------------------------------------------------------------------- |
| `Content-Type`           | Yes      | Must be `application/json`                                                 |
| `X-Processing-Key`       | Yes      | Your API key                                                               |
| `X-Processing-Signature` | Yes      | HMAC-SHA512 signature of the request body, generated using your secret key |

## How to generate the signature

Generate the signature from the exact JSON string sent in the request body:

1. Take the exact request body string that you are going to send.
2. Use your **secret key** as the HMAC key.
3. Compute the HMAC signature using the SHA-512 algorithm and encode the result as a lowercase hexadecimal string.
4. Send that value in the `X-Processing-Signature` header.

<Note>
  The signature must be generated from the exact request body sent to the API.

  If the body changes after signing, the request will be rejected.

  Make sure that:

  * The JSON is not reformatted or pretty-printed after signing
  * Field order does not change
  * No extra whitespace or line breaks are added
  * Your HTTP client does not modify the body before sending it
</Note>

## Verify your implementation

Generate a signature for the following JSON body using `AbCdEfG123456` as the secret key:

```json theme={null}
{"currency":"BTC","foreign_id":"123456"}
```

Expected result:

```text theme={null}
03c25fcf7cd35e7d995e402cd5d51edd72d48e1471e865907967809a0c189ba55b90815f20e2bb10f82c7a9e9d865546fda58989c2ae9e8e2ff7bc29195fa1ec
```

## Common pitfalls

Most authentication errors are caused by differences between the signed body and the sent body.

Check the following:

* The JSON used for signing is identical to the JSON sent
* Field order has not changed
* No additional whitespace or line breaks were introduced
* Your HTTP client did not modify the request body
* The signature is **hex-encoded** (not Base64)
* Header names match exactly:
  * `X-Processing-Key`
  * `X-Processing-Signature`