All requests to Paywint APIs must be authenticated using an HMAC-SHA256 signature. This ensures both the integrity and authenticity of your requests. You must include:
  • X-Platform-ID – your API key
  • X-Signature – generated HMAC-SHA256 signature of the request

Canonical String Format

To generate a valid signature, you need to build a canonical string using the following format: 
METHOD + PATH + QUERY + BODY_HASH

Definitions

METHOD: HTTP method (e.g., GET, POST, PUT) PATH: API path only (e.g., /api/platform/users/create) QUERY: Raw query string (e.g., ?id=123), or empty if none BODY_HASH: SHA256 hex digest of the raw request body (for POST, PUT, etc.)

Example Input

Method: POST
Path: /api/platform/users/create
Query: ?isExample=true&version=1.0.5
Body:
{
  "name": "John Doe",
  "email": "john@example.com",
  "phone": "9876543210",
  "phone_country_code": "+91"
}

Signature Generation Examples

const crypto = require('crypto');

const method = 'POST';
const path = '/api/platform/users/create';
const query = '?isExample=true&version=1.0.5';
const body = JSON.stringify({
name: 'John Doe',
email: 'john@example.com',
phone: '9876543210',
phone_country_code: '+91'
});

const bodyHash = crypto.createHash('sha256').update(body).digest('hex');
const canonicalString = `${method}${path}${query}${bodyHash}`;

const signature = crypto
.createHmac('sha256', 'your_platform_secret_key')
.update(canonicalString)
.digest('hex');

console.log('X-Signature:', signature);

Complete API Call Examples

Once the signature is generated, use it in the X-Signature header as shown below: 
curl -X POST "https://<environment>/api/platform/users/create?isExample=true&version=1.0.5" \
  -H "Content-Type: application/json" \
  -H "X-Platform-ID: YOUR_API_KEY" \
  -H "X-Signature: GENERATED_SIGNATURE" \
  -d '{
    "name": "John Doe",
    "email": "john@example.com",
    "phone": "9876543210",
    "phone_country_code": "+91"
  }'
Alternatively, you can use the static signature in the sandbox environment: 8b3cb99a4b8e24fc7e01d0db635e2e47b80818144fe51400c6c6ae3ecbc84f47

Best Practices

  • Keep your API Key and Secret Key secure — never expose them on the client side
  • Always use HTTPS to protect the signature and payload
  • Regenerate the signature for every request; it’s not reusable
Need help? Reach out to support@paywint.com