Authentication

The Ebioro Merchant API uses HMAC Digest Authentication. Every request must include three headers that prove you own the API keys.

Required Headers

Header	Description
`X-Digest-Key`	Your public API key (`pk_...` or `pk_test_...`)
`X-Digest-Timestamp`	Current Unix timestamp (seconds)
`X-Digest-Signature`	HMAC-SHA256 signature of the request

Computing the Signature

The signature is an HMAC-SHA256 hash of the concatenation of:

path + timestamp + method + body

Where:

path — the request path including query string (e.g., /payments)
timestamp — the same value as X-Digest-Timestamp
method — HTTP method in uppercase (e.g., POST, GET)
body — the raw JSON body for POST requests, empty string for GET

Signed with your api_secret_key.

Code Examples

const crypto = require('crypto');

function buildAuthHeaders(publicKey, secretKey, path, method, body = '') {
  const timestamp = Math.floor(Date.now() / 1000).toString();
  const data = method !== 'GET' ? JSON.stringify(body) : '';
  const toSign = path + timestamp + method + data;
  const signature = crypto
    .createHmac('sha256', secretKey)
    .update(toSign)
    .digest('hex');

  return {
    'X-Digest-Key': publicKey,
    'X-Digest-Timestamp': timestamp,
    'X-Digest-Signature': signature,
    'Content-Type': 'application/json',
  };
}

Timestamp Validation

The server rejects requests where the timestamp is more than 5 minutes from the server’s current time. Make sure your server clock is synchronized.

Errors

Status	Reason
401	Missing header values
401	Invalid public key
401	Signature verification failed
401	The request timed out (timestamp too old)

Getting Started

Core Concepts

Required Headers

Computing the Signature

Code Examples

Timestamp Validation

Errors

Getting Started

Core Concepts

​Required Headers

​Computing the Signature

​Code Examples

​Timestamp Validation

​Errors

Required Headers

Computing the Signature

Code Examples

Timestamp Validation

Errors