Authentication: Signing Every Request the Right Way

BharathEX APIs use the HMAC-SHA256 algorithm to authenticate requests securely. Every request comprising the URL path and body must be signed using your API Secret. Our server verifies this signature before processing the request to verify its authenticity and integrity.

This section includes a complete guide on how to encrypt and sign API requests using JavaScript, utilizing the CryptoJS library to implement HMAC-SHA256 encryption.

Important Notes

All private REST API requests must include the following headers to be processed successfully.

The API request payload and the signature payload must follow the exact same parameter order. Any mismatch can lead to authentication failure. Maintaining this alignment is important for making sure the data integrity and adhering to EFIcyent's security protocols.

For the URLPath, use only the last segment of the endpoint

Example: For https://example.com/api/user/s2s/create_transaction, use **/create_transaction** as the URL path for signing.

Do not include files or images in the request body. It is because HMAC authentication is based on hashing, which only supports plain text or binary content. Including such files will cause the signature validation to fail.

You can install it via npm with the following command

Plain Text

npm install crypto-js

Plain Text

                            
const CryptoJS = require("crypto-js");

function signContent(url, body, client_secret, timestamp) {
        let plainContent = `${url}${body ? JSON.stringify(body) : "{}"}${timestamp}${client_secret}`;
        console.log("plainContent : " + plainContent);
        console.log("timestamp : " + timestamp);
        return CryptoJS.HmacSHA256(plainContent, client_secret).toString(CryptoJS.enc.Hex);
}

const url = "/create_transaction";
const body = {
    requestId: "fd33ba787612d595eff03f866b745ed4f",
    amount: "1000"
};

const client_id = "";
const client_secret = "";
const timestamp = Math.floor(Date.now() / 1000);
const signature = signContent(url, body, client_secret, timestamp);

console.log("Generated Signature:", signature)

Example Breakdown:

urlPath :
Represents the final segment of the API endpoint (e.g.,"/create_transaction").
body :
Contains the request payload parameters, such as requestId and amount.
ClientId :
Your assigned API key used for authenticating the request.
ClientSecret :
The salt key provided to enhance request security.
signature :
Stores the output generated by the signContent function.
Previous
Environments
Next
Registration