# Signature The Signature is the RFC 2104 HMAC-SHA1, of selected elements from the request, and so the Signature part of the `Authorization` header will vary from request to request. | Component | Description | | ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | HTTP method | `GET`, `POST`, `PUT`, `PATCH` | | MD5 hash sum of the string with JSON-serialized parameters | If there are no parameters in the request body (e.g. `GET`), you then need to place just an empty string `""` as there is nothing to hash. **Do not hash an empty string**. | | Content-Type | `application/json` | | Date | [HTTP-date](https://tools.ietf.org/html/rfc7231#section-7.1.1.2) format e.g. `Tue, 15 Nov 1994 08:12:31 GMT`. The time offset is 15 minutes | | Request URI | Everything that is after the base URL e.g. `/api/invoices` | Here is a piece of pseudo-code that demonstrates the `Authorization` header construction. `\n` means the Unicode code point `U+000A`, commonly called a newline: ``` StringToSign = HTTP-Verb + “\n” + Content-MD5 + “\n” + Content-Type + “\n” + Date + “\n” + Path Signature = Base64( HMAC-SHA1( Api.secret, UTF-8-Encoding-Of( StringToSign ) ) ); Authorization = "HMAC " + Api.key + “:” + Signature; ``` So this should look like the Authorization header below: ``` curl -X POST \ https://business-sandbox.cryptopay.me/api/invoices \ -H 'Authorization: HMAC DjlHuWlApznJ7vrhPBL0fA:N2eEvkJQ07EpFau90pL5xMpBO3g=' \ -H 'Content-Type: application/json' \ -H 'Date: Tue, 25 Sep 2018 17:41:40 GMT' \ -d '{"price_amount":"100","price_currency":"EUR","pay_currency":"BTC"}' ``` {% hint style="info" %} Make sure that the date used for signature is the same you put in the Date header {% endhint %}