Signature

The Signature is the RFC 2104 HMAC-SHA1, of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request.

Component

Description

HTTP method

GET, POST, PUT, PATCH

MD5 hash sum of the string with JSON-serialized parameters

If there are no parameters in the request body (e.g. GET), you then need to place just an empty string "" as there is nothing to hash. Do not hash an empty string.

Content-Type

application/json

Date

HTTP-date format e.g. Tue, 15 Nov 1994 08:12:31 GMT. The time offset is 10 minutes

Request URI

Everything that is after the base URL e.g. /api/invoices

Here is a piece of pseudo-code that demonstrates the Authorization header construction. \n means the Unicode code point U+000A, commonly called a newline:

StringToSign = HTTP-Verb + “\n” +
Content-MD5 + “\n” +
Content-Type + “\n” +
Date + “\n” +
Path
Signature = Base64( HMAC-SHA1( Api.secret, UTF-8-Encoding-Of( StringToSign ) ) );
Authorization = "HMAC " + Api.key + “:” + Signature;

So this should look like the Authorization header below:

curl -X POST \
https://business-sandbox.cryptopay.me/api/invoices \
-H 'Authorization: HMAC DjlHuWlApznJ7vrhPBL0fA:N2eEvkJQ07EpFau90pL5xMpBO3g=' \
-H 'Content-Type: application/json' \
-H 'Date: Tue, 25 Sep 2018 17:41:40 GMT' \
-d '{"price_amount":"100","price_currency":"EUR","pay_currency":"BTC"}'

Make sure that the date used for signature is the same you put in the Date header