Authentication
Secure your API requests with HMAC-SHA256 signature authentication.
The Ipay Technologies Pty Ltd API uses a combination of API keys and HMAC-SHA256 signatures to authenticate requests. This ensures that all requests are secure and can be verified as coming from authorized sources.
Getting API Credentials
To get started with the Ipay Technologies Pty Ltd API, you'll need two pieces of information:
- •API Key: A unique identifier for your SubAccount
- •API Secret: A secret key used to sign your requests
Contact your account manager to obtain your API credentials.
Required Headers
Every API request must include the following headers:
| Header | Description | Example |
|---|---|---|
x-api-key | Your unique API key | A24b4fSJ8SKhowxlY |
signature | HMAC-SHA256 signature (nonce.hash) | 1712042205773.da41de13... |
Content-Type | Must be application/json | application/json |
Generating the Signature
The signature is generated using HMAC-SHA256 hashing. Follow these steps:
Generate a Nonce
Create a nonce (number used once) using the current timestamp in milliseconds.
const nonce = new Date().getTime();Create Signed Payload
Combine the nonce and API key with a period separator.
const signedPayload = `${nonce}.${api_key}`;Generate HMAC-SHA256 Hash
Hash the signed payload using your API secret.
const expectedSignature = CryptoJS.HmacSHA256(signedPayload, api_secret).toString();Create Final Signature
Combine the nonce and hash with a period separator.
const signature = `${nonce}.${expectedSignature}`;Code Examples
Implementation Examples
Generate HMAC-SHA256 signatures in your preferred programming language.
const CryptoJS = require('crypto-js');
// Your API credentials
const api_key = 'YOUR_API_KEY';
const api_secret = 'YOUR_API_SECRET';
// Generate nonce (current timestamp)
const nonce = new Date().getTime();
// Create signed payload
const signedPayload = `${nonce}.${api_key}`;
// Generate HMAC-SHA256 signature
const expectedSignature = CryptoJS.HmacSHA256(signedPayload, api_secret).toString();
// Create final signature
const signature = `${nonce}.${expectedSignature}`;
// Set headers for API request
const headers = {
'x-api-key': api_key,
'signature': signature,
'Content-Type': 'application/json'
};Security Best Practices
- ⚠Keep your API secret confidential: Never expose your API secret in client-side code, public repositories, or logs.
- ⚠Generate signatures server-side: Always generate signatures on your backend server, not in browser JavaScript.
- ⚠Use HTTPS only: All API requests must be made over HTTPS to ensure data is encrypted in transit.
- ⚠Rotate credentials regularly: Contact your account manager to rotate your API credentials periodically.
- ⚠Fresh signatures for each request: Generate a new signature for every API call using a current timestamp.
Next Steps
Now that you understand authentication, you're ready to start making API calls.