All requests require an API key passed in the Authorization header using the bearer authentication scheme. You can get your key from the Paycashless dashboard here:

Authorization: Bearer <YOUR_API_KEY>

Request Signing

Check the Signing API requests page for a detailed guide on how sign your API requests.

To protect the integrity of your API requests, Paycashless uses signature authentication. This ensures that each request is securely verified and that the data hasn’t been altered in transit.

By generating a signature with your API secret using HMAC-SHA512, we’re able to validate both the authenticity and integrity of every request sent to our servers.

Each request’s header therefore must include:

  1. Request-Timestamp: Unix timestamp in seconds
  2. Request-Signature: HMAC-SHA512 signature

A Request-Signature is generated using:

  1. The request path
  2. A hash of the sorted request body (for POST requests)
  3. UNIX timestamp in seconds

Example

import crypto from 'crypto';
import { sortObjectAlphabetically } from "./sort.js";

function sha512Sign(message, secret) {
  return crypto.createHmac('sha512', secret).update(message).digest('hex');
}

// Get the timestamp (in seconds) and pass it to the header as 'Request-Timestamp'
const timestamp = Math.floor(Date.now() / 1000);
const requestPath = "/v1/payouts";
const API_SECRET = "YOUR_API_SECRET"; // replace these with your actual API secret value

// Get the request body 
let body = {
  "amount":{
    "currency":"NGN",
    "value":10000
  },
  "bankId":"bank_538ed2056326432ba8e6853b613997bb",
  "callbackUrl":"https://webhook.site/99a59e8a-bd0b-485d-8249-fccb5eb62e27",
  "destinationAccountNumber":"9845648577",
  "metadata":{
    "category":"transfer"
  },
  "narration":"zapped",
  "reference":"trx_fWQ7b31pbs5mmT3k3qfb46"
};

// Sort the body alphabetically
body = sortObjectAlphabetically(body);

// Create the body hash to be passed as payload
const bodyHash = sha512Sign(JSON.stringify(body), API_SECRET);

// Concatenate the string to sign
const stringToSign = `${requestPath}${bodyHash}${timestamp}`;

// Generate the Request-Signature value for the header
const signature = sha512Sign(stringToSign, API_SECRET);

console.log(`signature: ${signature}`);