API Documentation Cashouts API Technical and Security Aspects Calculating the Payload-Signature Learn how to correctly calculate the Signature Control String to authenticate with the V3 Cashout endpoints
Calculating the Signature
All calls to our Cashouts APIs must contain a Payload-Signature
field on the header used to ensure request integrity and to authenticate yourself since you will use your own API Signature (secret key) to generate and encrypt a hash.
It has to be created using HMAC-SHA-256 (RFC 2104) encoding and the payload is made of the entire JSON Payload sent in the body of the requests and notifications.
Use your API Signature to create the HASH
The Payload-Signature
field on the header of the requests will contain the hash generated from hashing the entire JSON Payload:
Payload-Signature: HMAC256(jsonPayload)
Example:
Payload-Signature: 223a9dd4784726f1536c926da7dc69155a57612c5c3c1e1b429c367a5eee67cf
Notes
The Payload-Signature
value is case sensitive and must be sent in lower case.
In case the jsonPayload
value is empty, use an empty string instead.
The jsonPayload
should be converted to UTF-8 before hashing it to prevent Invalid Signature
error when sending characters with different encodings.
Examples
Check the examples below on how to calculate the Payload-Signature
.
Java PHP C#
Copy import javax . crypto . Mac ;
import javax . crypto . spec . SecretKeySpec ;
import org . apache . commons . net . util . Base64 ;
String json_payload = "{ \"login\": \"cashout_API_Key\", \"pass\": \"cashout_API_Passphrase\", \"external_id\": \"123456789\", \"document_id\": \"1234567899\", \"document_type\": \"\", \"cashout_type\": \"BANK\", \"beneficiary_name\": \"Test User\", \"beneficiary_lastname\": \"Test User\", \"country\": \"MX\", \"amount\": 2000, \"currency\": \"MXN\", \"email\": \"test@test.com\", \"notification_url\": \"http:\\/\\/d24.com\\/notification\", \"bank_code\": \"072\",\"bank_branch\": \"\", \"bank_account\": \"1234567890\", \"account_type\": \"C\", \"address\": \"\"}";
String secretKey = "cashout_secret_key" ;
Mac hasher = Mac . getInstance ( "HmacSHA256" );
hasher . init ( new SecretKeySpec( secretKey . getBytes() , "HmacSHA256" ) );
String payload_signature = Base64 . encodeBase64String ( hasher . doFinal ( json_payload . getBytes ())) . toLowerCase ();
Copy <? php
$json_payload = '{
"login" : "cashout_API_Key" ,
"pass" : "cashout_API_Passphrase" ,
"external_id" : "123456789" ,
"document_id" : "1234567899" ,
"document_type" : "" ,
"cashout_type" : "BANK" ,
"beneficiary_name" : "Test User" ,
"beneficiary_lastname" : "Test User" ,
"country" : "MX" ,
"amount" : 2000 ,
"currency" : "MXN" ,
"email" : "test@test.com" ,
"notification_url" : "http://www.d24.com/notification" ,
"bank_code" : "072" ,
"bank_branch" : "" ,
"bank_account" : "1234567890" ,
"account_type" : "C" ,
"address" : ""
} ';
$secretKey = "cashout_secret_key" ;
$payload_signature = strtolower ( hash_hmac ( 'sha256' , pack ( 'A*' , $json_payload) , pack ( 'A*' , $secretKey)));
?>
Copy using System;
using System . Text;
using System . Security . Cryptography;
string jsonPayload = "{ \"login\": \"cashout_API_Key\", \"pass\": \"cashout_API_Passphrase\", \"external_id\": \"123456789\", \"document_id\": \"1234567899\", \"document_type\": \"\", \"cashout_type\": \"BANK\", \"beneficiary_name\": \"Test User\", \"beneficiary_lastname\": \"Test User\", \"country\": \"MX\", \"amount\": 2000, \"currency\": \"MXN\", \"email\": \"test@test.com\", \"notification_url\": \"http:\\/\\/www.d24.com\\/notification\", \"bank_code\": \"072\",\"bank_branch\": \"\", \"bank_account\": \"1234567890\", \"account_type\": \"C\", \"address\": \"\"}";
string secretKey = "cashout_secret_key" ;
byte[] keyByte = new ASCIIEncoding () . GetBytes ( secretKey ) ;
byte[] jsonPayloadBytes = new ASCIIEncoding () . GetBytes ( jsonPayload ) ;
byte[] hashmessage = new HMACSHA256 (keyByte) . ComputeHash ( jsonPayloadBytes ) ;
string payloadSignature = BitConverter . ToString ( hashmessage ) . Replace ( "-" , "" ) . ToLower () ;