Tylt: API Documentation
  • Introduction
    • Introduction
    • Getting Started
    • Generating API Keys
    • Signing API Payloads
    • Important Concepts
    • Merchant Verification
    • Tylt Prime (UPI to Crypto Solution)
      • API Reference
        • Create a Pay-in Instance
        • Create a Pay-out Instance
        • Webhook for Tylt Prime
        • Get Instance Information
        • Get Pay-In Transaction Information
        • Get Pay-Out Transaction Information
    • Tylt Prime (UPI to Crypto Solution - H2H)
      • API Reference ( Pay-In)
        • Create a Pay-in Instance
        • Buyer Confirms Payment
        • Webhook for Tylt Prime
        • Get Instance Details
        • Get Pay-In Transaction Information
        • Get List of Fiat Currency and Supported Payment Methods
        • Get List of Supported Crypto Currency for Settlement
        • Get Conversion Rates
  • Tylt CPG (Crypto Payment Gateway)
    • API Reference
      • Accept Crypto Payments
        • Creating a Pay-in Request
        • Get Pay-In Transaction History
        • Get Pay-In Transaction Information
      • Make Crypto Payouts
        • Creating a Payout Request
        • Get Pay-Out Transaction History
        • Get Pay-Out Transaction Information
      • Supporting API's
        • Get Supported Crypto Currencies List
        • Get Supported Fiat Currencies
        • Get Account Balance / Holdings
        • Get Supported Crypto Networks
        • Supported Base Currency List
      • Webhook
    • Use Cases
      • E-commerce Flow
      • Withdrawal Flow
Powered by GitBook
On this page
  • Signing API Payloads
  • Signing a Request
  • Example Codes
  1. Introduction

Signing API Payloads

Signing API Payloads

To ensure the security and integrity of your API requests to Tylt, each payload must be signed using your API Secret Key. This process generates a unique signature that verifies the authenticity of the request.

Signing a Request

The following steps outline how to sign your API requests:

  1. Retrieve Your API Keys

    You need your API Key and API Secret Key, which should be stored securely. Ensure these keys are kept confidential and are not exposed in client-side code.

  2. Generate the Signature

    You will create a signature using HMAC SHA-256 encryption. This signature will be included in the headers of your API requests.

Example Codes

Here’s how you can sign requests using different programming languages:

// Common function to create HMAC SHA-256 signature
const createSignature = (secret, data) => {
    return crypto.createHmac('sha256', secret)
                 .update(data)
                 .digest('hex');
};

const axios = require('axios');
const crypto = require('crypto');

// Replace with your API Key and Secret
const apiKey = 'your-api-key';
const apiSecret = 'your-api-secret';

// Function to send a POST request
const sendPostRequest = async (url, body) => {
    const raw = JSON.stringify(body);
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await axios.post(url, body, { headers });
    return response.data;
};

// Function to send a GET request
const sendGetRequest = async (url, params) => {
    const raw = new URLSearchParams(params).toString();

    const signature = createSignature(apiSecret, JSON.stringify(params));

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await axios.get(`${url}?${raw}`, { headers });
    return response.data;
};

import json
import hashlib
import hmac
import requests

# Replace with your API Key and Secret
api_key = 'your-api-key'
api_secret = 'your-api-secret'

# Function to create HMAC SHA-256 signature
def create_signature(secret, data):
    return hmac.new(secret.encode(), data.encode(), hashlib.sha256).hexdigest()

# Function to send a POST request
def send_post_request(url, body):
    raw = json.dumps(body, separators=(',', ':'), ensure_ascii=False)
    signature = create_signature(api_secret, raw)

    headers = {
        'X-TLP-APIKEY': api_key,
        'X-TLP-SIGNATURE': signature
    }

    response = requests.post(url, headers=headers, data=raw)
    return response.json()


send_post_request('https://domain.com/path', body = {"orderId":"UUID-order-id"})

# Function to send a GET request
def send_get_request(url, params):
    raw = '&'.join([f"{key}={value}" for key, value in params.items()])
    body_string = json.dumps(params, separators=(',', ':'), ensure_ascii=False)

    signature = create_signature(api_secret, body_string)

    headers = {
        'X-TLP-APIKEY': api_key,
        'X-TLP-SIGNATURE': signature
    }

    response = requests.get(f"{url}?{raw}", headers=headers)
    return response.json()

send_get_request('https://domain.com/path',  params = {"orderId":"UUID-order-id"})

const crypto = require('crypto');

// Function to send a POST request
const sendPostRequest = async (url, body) => {
    const raw = JSON.stringify(body);
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "Content-Type": "application/json",
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await fetch(url, {
        method: 'POST',
        headers: headers,
        body: raw,
    });
    return response.json();
};

// Function to send a GET request
const sendGetRequest = async (url, params) => {
    const raw = new URLSearchParams(params).toString();
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await fetch(`${url}?${raw}`, {
        method: 'GET',
        headers: headers,
    });
    return response.json();
};

By following these steps and using the provided code examples, you can securely sign your API requests to Tylt, ensuring the integrity and authenticity of your transactions.

Important Considerations

  • Keep Your Keys Secure: Always use environment variables or secure storage for sensitive information like your API Secret Key.

  • Regenerate Keys if Compromised: If your API keys are exposed or compromised, regenerate them immediately and update your secure storage.

PreviousGenerating API KeysNextImportant Concepts

Last updated 1 month ago