Request Signing
How to compute the HMAC-SHA256 request signature.
The HMAC-SHA256 signature is computed over a canonical string built from
four components joined by newline characters (\n, byte 0x0A):
CANONICAL_STRING = METHOD + "\n" + PATH_AND_QUERY + "\n" + TIMESTAMP + "\n" + BODY| Component | Description |
|---|---|
METHOD | HTTP verb in uppercase (GET, POST, PATCH) |
PATH_AND_QUERY | Full request path including query string, without the host (e.g. /v1/users/ext123/balances) |
TIMESTAMP | Value of the X-Request-Timestamp header |
BODY | Raw request body string, or empty string for bodyless requests (GET, DELETE) |
Example — GET request (JavaScript)
const timestamp = "2026-03-13T12:00:00Z";
const canonical = ["GET", "/v1/users/ext123/balances", timestamp, ""].join("\n");
const signature = crypto.createHmac("sha256", secret).update(canonical).digest("hex");Example — POST request (Python)
import hmac, hashlib, json
timestamp = "2026-03-13T12:00:00Z"
body = json.dumps({"externalId": "ext123", "firstName": "Jane", ...})
canonical = "\n".join(["POST", "/v1/users", timestamp, body])
signature = hmac.new(secret, canonical.encode(), hashlib.sha256).hexdigest()