Signature
The Signature is the RFC 2104 HMAC-SHA1, of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request.
Component
Description
HTTP method
GET, POST, PUT, PATCH
MD5 hash sum of the string with JSON-serialized parameters
If there are no parameters in the request body (e.g. GET), you then need to place just an empty string "" as there is nothing to hash. Do not hash an empty string.
Content-Type
application/json
Date
HTTP-date format e.g. Tue, 15 Nov 1994 08:12:31 GMT. The time offset is 15 minutes
Request URI
Everything that is after the base URL e.g. /api/invoices
Here is a piece of pseudo-code that demonstrates the Authorization header construction. \n means the Unicode code point U+000A, commonly called a newline:
StringToSign = HTTP-Verb + “\n” +
Content-MD5 + “\n” +
Content-Type + “\n” +
Date + “\n” +
Path
Signature = Base64( HMAC-SHA1( Api.secret, UTF-8-Encoding-Of( StringToSign ) ) );
Authorization = "HMAC " + Api.key + “:” + Signature;
So this should look like the Authorization header below:
curl -X POST \
https://business-sandbox.cryptopay.me/api/invoices \
-H 'Authorization: HMAC DjlHuWlApznJ7vrhPBL0fA:N2eEvkJQ07EpFau90pL5xMpBO3g=' \
-H 'Content-Type: application/json' \
-H 'Date: Tue, 25 Sep 2018 17:41:40 GMT' \
-d '{"price_amount":"100","price_currency":"EUR","pay_currency":"BTC"}'
Make sure that the date used for signature is the same you put in the Date header
Copy link