Cryptopay API
  • Welcome
  • Guides
    • Introduction
    • Environments
    • Creating a Test Account
    • API Credentials
    • API Basics
      • Responses
      • Date formats
      • Authentication
        • How it works
        • Signature
        • Creating a signature. Code samples
      • Callbacks
    • API Client Libraries
    • API Reference
    • Cryptocurrency Payments
    • Currencies
      • Supported Currencies
      • Currency Icons
    • Confirmations
    • Tools for accepting payments
    • Prebuilt integrations
      • E-commerce payment plugins
      • Payment and software providers
    • Channels
      • Channel payment
      • Payment statuses
      • Channel payment sequence
      • Create a Channel
      • Visual representation at Cashier
      • Channel hosted page
      • Channel payment callbacks
    • Invoices
      • Invoice statuses
      • Invoice payment sequence
      • How to handle unresolved invoices
        • Underpaid
        • Overpaid
        • Paid late
        • Illicit resource
        • Invoice refunds sequence
      • Create an invoice
      • Visual presentation at Cashier
      • Invoice hosted page
      • Online checkout
        • How-to
      • Payment links
      • Invoice callbacks
    • Payouts
      • Payout statuses
      • Payout sequence
      • Payout fees consideration
        • Network fees
      • Create a Coin Withdrawal
        • Possible errors
        • Withdrawals from fiat accounts
        • Withdrawals from cryptocurrency accounts
        • high_risk_address error message
      • Visual representation at Cashier
      • Minimum transaction amount
      • Coin Withdrawal callbacks
      • Travel Rule Compliance
    • Email Billing
      • Create an email billing
      • Email billing callbacks
    • Testing
      • Channels
      • Invoices
      • Payouts
    • Risks
    • Customers
    • Transactions types and Statuses
Powered by GitBook
On this page
  1. Guides
  2. API Basics
  3. Authentication

How it works

The following describes steps, required to authenticate request signature using HMAC-SHA1:

  1. You construct an API request (for API calls)

  2. You calculate a keyed-hash message authentication code (HMAC-SHA1) signature using your API secret

  3. You include both the API key and the signature in the Authorization header, and then call the API

  4. The API uses your API key to look up your API secret

  5. The API reconstructs the signature from the request data and the API secret with the same algorithm you used to calculate the signature you sent in the request

  6. If the signature generated by Cryptopay matches the one you sent in the request, the request is considered authentic. If the comparison fails the request is discarded and Cryptopay returns 401 or 403 error responses:

{
  "error": {
    "code": "unauthenticated",
    "message": "unauthenticated",
    "details": []
  },
  "meta": {
    "request_id": "932e4625b1735951f471cb7e7d3dab6e"
  }
}
{
  "error": {
    "code": "unauthorized",
    "message": "unauthorized",
    "details": []
  },
  "meta": {
    "request_id": "932e4625b1735951f471cb7e7d3dab6e"
  }
}
PreviousAuthenticationNextSignature

Last updated 9 months ago