# Signature

The Signature is the RFC 2104 HMAC-SHA1, of selected elements from the request, and so the Signature part of the `Authorization` header will vary from request to request.

| Component                                                  | Description                                                                                                                                                                  |
| ---------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| HTTP method                                                | `GET`, `POST`, `PUT`, `PATCH`                                                                                                                                                |
| MD5 hash sum of the string with JSON-serialized parameters | If there are no parameters in the request body (e.g.  `GET`), you then need to place just an empty string `""` as there is nothing to hash. **Do not hash an empty string**. |
| Content-Type                                               | `application/json`                                                                                                                                                           |
| Date                                                       | [HTTP-date](https://tools.ietf.org/html/rfc7231#section-7.1.1.2) format e.g. `Tue, 15 Nov 1994 08:12:31 GMT`. The time offset is 15 minutes                                  |
| Request URI                                                | Everything that is after the base URL e.g. `/api/invoices`                                                                                                                   |

Here is a piece of pseudo-code that demonstrates the `Authorization` header construction. `\n` means the Unicode code point `U+000A`, commonly called a newline:

```
StringToSign = HTTP-Verb + “\n” +
   Content-MD5 + “\n” +
   Content-Type + “\n” +
   Date + “\n” +
   Path

Signature = Base64( HMAC-SHA1( Api.secret, UTF-8-Encoding-Of( StringToSign ) ) );

Authorization = "HMAC " + Api.key + “:” + Signature;
```

So this should look like the Authorization header below:

```
curl -X POST \
  https://business-sandbox.cryptopay.me/api/invoices \
  -H 'Authorization: HMAC DjlHuWlApznJ7vrhPBL0fA:N2eEvkJQ07EpFau90pL5xMpBO3g=' \
  -H 'Content-Type: application/json' \
  -H 'Date: Tue, 25 Sep 2018 17:41:40 GMT' \
  -d '{"price_amount":"100","price_currency":"EUR","pay_currency":"BTC"}'  
```

{% hint style="info" %}
Make sure that the date used for signature is the same you put in the Date header
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developers.cryptopay.me/guides/api-basics/authentication/signature.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.