Skip to main content

Authorization

All requests to the Merchant API must include the X-Identity and X-Signature headers.

Requests to the Public API do not require sending additional headers.

X-Identity

The X-Identity header must contain API key from the merchant's shop.

X-Identity: <API-key>

X-Signature

The X-Signature header must contain a Base64-encoded string that is signed with the merchant's secret key using the SHA1 algorithm.

The string to sign must be formed by concatenating the following elements in the following order:

  1. HTTP request method (for example, GET, POST);

  2. The request's URL (for example, https://{{domain}}/api/merchant/invoices);

  3. The request body - if present, for application/json data type.

Example of the string that should be signed:

POST https://{{domain}}/api/merchant/invoices{"amount":"100","currency":"RUB","type":"in"...}

GET and multipart/form-data requests

For GET requests or multipart/form-data content type, the signature string is created by concatenating only the request method and the request URL.

An example for GET request:

GET https://{{domain}}/api/merchant/accounts

An example for multipart/form-data type of request:

POST https://{{domain}}/api/merchant/invoices/69658e0c-8aae-4849-b2fe-aa8af418ac3a/dispute

Signature generation

The previously composed string should be signed with the secret key, using the SHA1 algorithm, the result must be encoded in Base64 and sent as a X-Signature header.

X-Signature: <Signature>

Code examples

function calculateSignature(string $method, string $url, string $bodyContent, string $secret): string
{
    $stringToSign = $method . $url . $bodyContent;

    return base64_encode(hash_hmac('sha1', $stringToSign, $secret, true));
}