Skip to main content
HMAC is required when you call POST /application/connect with a callback URL. It proves the request came from your server.

Headers

All HMAC-authenticated requests need:
HeaderValue
api-keyYour master api-key
AuthorizationHMAC {timestamp}:{signature}
Content-Typeapplication/json

How to Calculate the Signature

1

Get the current UNIX timestamp

const time = Date.now().toString();
2

MD5-hash the request body

const contentHash = crypto.createHash('md5')
  .update(JSON.stringify(body))
  .digest('hex');
For GET requests with no body, hash {} — this gives 99914b932bd37a50b983c5e7c90ae93b.
3

Concatenate timestamp + method + path + body hash

const signatureRawData = time + 'POST' + '/api/v0/application/connect' + contentHash;
4

Create HMAC-SHA256 with your API secret

const signature = crypto.createHmac('sha256', apiSecret)
  .update(signatureRawData)
  .digest('hex');
5

Assemble the Authorization header

const authorization = 'HMAC ' + time + ':' + signature;

Complete Example (Node.js)

import crypto from 'crypto';

const apiSecret = ''; // Your API Secret
const time = Date.now().toString();
const method = 'POST';
const path = '/api/v0/application/connect';
const body = {
  email: 'user@example.com',
  callback: 'https://yourapp.com/webhooks',
  ref: 'user-123',
};

// MD5 hash of the body
const contentHash = crypto
  .createHash('md5')
  .update(JSON.stringify(body))
  .digest('hex');

// Signature input
const signatureRawData = time + method + path + contentHash;

// HMAC SHA256
const signature = crypto
  .createHmac('sha256', apiSecret)
  .update(signatureRawData)
  .digest('hex');

// Final header
const authorization = 'HMAC ' + time + ':' + signature;

import hashlib, hmac, json, time

api_secret = ''  # Your API Secret
timestamp = str(int(time.time() * 1000))
method = 'POST'
path = '/api/v0/application/connect'
body = {'email': 'user@example.com', 'callback': 'https://yourapp.com/webhooks'}

content_hash = hashlib.md5(json.dumps(body).encode()).hexdigest()
signature_input = timestamp + method + path + content_hash
signature = hmac.new(api_secret.encode(), signature_input.encode(), hashlib.sha256).hexdigest()

authorization = f'HMAC {timestamp}:{signature}'

Time Window

The timestamp must be within 600 seconds (10 minutes) of the server’s time. Requests outside this window are rejected.