Calculating the Signature
Learn how to calculate and send the Signature header value to verify requests integrity

Calculating the Signature

All the calls to our Deposits APIs will contain an Authorization field on the header used to ensure request integrity and to authenticate yourself since you will use your own secret key (API Signature) to generate and encrypt a hash.
It has to be created using HMAC-SHA-256 (RFC 2104) encoding and the payload must include the following details:
X-Date + X-Login + JSONPayload
Use your API Signature to generate the Authorization value
The Authorization field on the header of the requests will contain the string "D24 " plus the hash generated, in the following format:
Authorization: "D24 " + HMAC256(X-Date + X-Login + JSONPayload)
Example:
Authorization: D24 223a9dd4784726f1536c926da7dc69155a57612c5c3c1e1b429c367a5eee67cf

Notes

The X-Login is your login API Key, it can be retrieved from the Merchant Panel by going to Settings -> API Access -> Deposit credentials -> API Key.
The X-Date is the date in ISO8601 Datetime with Timezone. Format expected: ISO8601 Datetime with Timezone: yyyy-MM-dd'T'HH:mm:ssZ. E.g.: 2020-06-21T12:33:20Z.
The Authorization value is case sensitive and must include all the above mentioned values.
The JSONPayload is the exact same JSON you sent in the body of the request.
In case the JSONPayload value is empty (for example in the status or payment methods endpoints), use an empty string ("") instead.
The JSONPayload should be converted to UTF-8 before hashing it to prevent Invalid Signature error when sending characters with different encodings.

Examples

Check the examples in the different languages on how to properly calculate the Signature.
You can also check the code of our SDKs in Java and PHP to see how it is calculated.
Java
C#
PHP
1
import java.io.ByteArrayOutputStream;
2
import java.io.IOException;
3
import java.nio.charset.StandardCharsets;
4
import java.security.InvalidKeyException;
5
import java.security.NoSuchAlgorithmException;
6
import java.util.Formatter;
7
import javax.crypto.Mac;
8
import javax.crypto.spec.SecretKeySpec;
9
10
public static final String D24_AUTHORIZATION_SCHEME = "D24 ";
11
12
private static final String HMAC_SHA256 = "HmacSHA256";
13
14
public static String buildDepositKeySignature(String apiSignature, String xDate, String depositKey, String JSONPayload)
15
throws NoSuchAlgorithmException, InvalidKeyException, IOException {
16
byte[] hmacSha256 = null;
17
Mac mac = Mac.getInstance(HMAC_SHA256);
18
SecretKeySpec secretKeySpec = new SecretKeySpec(apiSignature.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);
19
mac.init(secretKeySpec);
20
hmacSha256 = mac.doFinal(buildByteArray(xDate, apiKey, JSONPayload));
21
return D24_AUTHORIZATION_SCHEME + toHexString(hmacSha256);
22
}
23
24
private static byte[] buildByteArray(String xDate, String apiKey, String JSONPayload) throws IOException {
25
ByteArrayOutputStream bos = new ByteArrayOutputStream();
26
bos.write(xDate.getBytes(StandardCharsets.UTF_8));
27
bos.write(apiKey.getBytes(StandardCharsets.UTF_8));
28
if (JSONPayload != null) {
29
bos.write(payload.getBytes(StandardCharsets.UTF_8));
30
}
31
return bos.toByteArray();
32
}
33
34
private static String toHexString(byte[] bytes) {
35
Formatter formatter = new Formatter();
36
for (byte b : bytes) {
37
formatter.format("%02x", b);
38
}
39
return formatter.toString();
40
}
41
42
Copied!
1
using System;
2
using System.Text;
3
using System.IO;
4
using System.Security.Cryptography;
5
6
namespace Application
7
{
8
9
class Directa24Example
10
{
11
12
public readonly static string D24_AUTHORIZATION_SCHEME = "D24 ";
13
14
private readonly static string HMAC_SHA256 = "HmacSHA256";
15
16
public static String buildDepositKeySignature(String apiSignature, String xDate, String depositKey, String jsonPayload)
17
{
18
byte[] hmacSha256 = null;
19
var apiSignatureEncod = Encoding.UTF8.GetBytes(apiSignature);
20
var hash = new HMACSHA256(apiSignatureEncod);
21
hmacSha256 = hash.ComputeHash(buildByteArray(xDate, depositKey, jsonPayload));
22
return D24_AUTHORIZATION_SCHEME + toHexString(hmacSha256).ToLower();
23
}
24
25
private static byte[] buildByteArray(String xDate, String apiKey, String jsonPayload)
26
{
27
try
28
{
29
MemoryStream stream = new MemoryStream();
30
var xDateEncod = Encoding.UTF8.GetBytes(xDate);
31
var apiKeyEncod = Encoding.UTF8.GetBytes(apiKey);
32
stream.Write(xDateEncod, 0, xDateEncod.Length);
33
stream.Write(apiKeyEncod, 0, apiKeyEncod.Length);
34
if (!string.IsNullOrWhiteSpace(jsonPayload))
35
{
36
var jsonPayloadEncod = Encoding.UTF8.GetBytes(jsonPayload);
37
stream.Write(jsonPayloadEncod, 0, jsonPayloadEncod.Length);
38
}
39
return stream.ToArray();
40
}
41
catch (Exception ex)
42
{
43
throw ex;
44
}
45
}
46
47
private static string toHexString(byte[] bytes)
48
{
49
return BitConverter.ToString(bytes).Replace("-", string.Empty);
50
}
51
}
52
}
53
54
Copied!
1
<?php
2
3
class Directa24Example {
4
5
const D24_AUTHORIZATION_SCHEME = "D24 ";
6
const HMAC_SHA256 = 'sha256';
7
8
9
public static function build_deposit_key_signature($api_signature, $x_date, $deposits_api_key, $json_payload) {
10
11
// Concatenate the content of the header X-Date, your deposits API Key (X-Login) and
12
// the whole JSON payload of the body of the request
13
$string = $x_date . $deposits_api_key . $json_payload;
14
15
// Generate the HASH by using yur own deposits API Signature and
16
// concatenate "D24 " in front of the hash
17
return self::D24_AUTHORIZATION_SCHEME . hash_hmac(self::HMAC_SHA256, $string, $api_signature);
18
19
}
20
21
}
22
23
Copied!