Calculating the Signature

Learn how to calculate and send the Signature header value to verify requests integrity

Calculating the Signature

All the calls to our Bank Account Validation APIs will contain an Authorization field on the header used to ensure request integrity and to authenticate yourself since you will use your own secret key (API Signature) to generate and encrypt a hash.

It has to be created using HMAC-SHA-256 (RFC 2104) encoding and the payload must include the following details:

X-Date + X-Login + JSONPayload

Use your API Signature to generate the Authorization value

The Authorization field on the header of the requests will contain the string "D24 " concatenated to the hash generated, in the following format:

Authorization: "D24 " + HMAC256(X-Date + X-Login + JSONPayload)


Authorization: D24 223a9dd4784726f1536c926da7dc69155a57612c5c3c1e1b429c367a5eee67cf


The X-Login is your login API Key, it can be retrieved from the Merchant Panel by going to Settings -> API Access -> Cashout credentials -> API Key.

The X-Date is the date in ISO8601 Datetime with Timezone. Format expected: ISO8601 Datetime with Timezone: yyyy-MM-dd'T'HH:mm:ssZ. E.g.: 2020-06-21T12:33:20Z.

The Authorization value is case sensitive and must include all the above mentioned values.

The JSONPayload is the exact same JSON you sent in the body of the request.

In case the JSONPayload value is empty (for example in the status or payment methods endpoints), use an empty string ("") instead.

The JSONPayload should be converted to UTF-8 before hashing it to prevent Invalid Signature error when sending characters with different encodings.


Check the examples in the different languages on how to properly calculate the Signature.

You can also check the code of our SDKs in Java and PHP to see how it is calculated.

import java.nio.charset.StandardCharsets;
import java.util.Formatter;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public static final String D24_AUTHORIZATION_SCHEME = "D24 ";

private static final String HMAC_SHA256 = "HmacSHA256";

public static String buildCashoutKeySignature(String apiSignature, String xDate, String cashoutApiKey, String JSONPayload)
      throws NoSuchAlgorithmException, InvalidKeyException, IOException {
   byte[] hmacSha256 = null;
   Mac mac = Mac.getInstance(HMAC_SHA256);
   SecretKeySpec secretKeySpec = new SecretKeySpec(apiSignature.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);
   hmacSha256 = mac.doFinal(buildByteArray(xDate, cashoutApiKey, JSONPayload));
   return D24_AUTHORIZATION_SCHEME + toHexString(hmacSha256);

private static byte[] buildByteArray(String xDate, String cashoutApiKey, String JSONPayload) throws IOException {
   ByteArrayOutputStream bos = new ByteArrayOutputStream();
   if (JSONPayload != null) {
   return bos.toByteArray();

private static String toHexString(byte[] bytes) {
   Formatter formatter = new Formatter();
   for (byte b : bytes) {
      formatter.format("%02x", b);
   return formatter.toString();

Last updated