Signing API Payloads

To ensure the security and integrity of your API requests to Tylt, each payload must be signed using your API Secret Key. This process generates a unique signature that verifies the authenticity of the request.

Signing a Request

The following steps outline how to sign your API requests:

Retrieve Your API Keys
You need your API Key and API Secret Key, which should be stored securely. Ensure these keys are kept confidential and are not exposed in client-side code.
Generate the Signature
You will create a signature using HMAC SHA-256 encryption. This signature will be included in the headers of your API requests.

Example Codes

Here’s how you can sign requests using different programming languages:

// Common function to create HMAC SHA-256 signature
const createSignature = (secret, data) => {
    return crypto.createHmac('sha256', secret)
                 .update(data)
                 .digest('hex');
};

const axios = require('axios');
const crypto = require('crypto');

// Replace with your API Key and Secret
const apiKey = 'your-api-key';
const apiSecret = 'your-api-secret';

// Function to send a POST request
const sendPostRequest = async (url, body) => {
    const raw = JSON.stringify(body);
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await axios.post(url, body, { headers });
    return response.data;
};

// Function to send a GET request
const sendGetRequest = async (url, params) => {
    const raw = new URLSearchParams(params).toString();

    const signature = createSignature(apiSecret, JSON.stringify(params));

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await axios.get(`${url}?${raw}`, { headers });
    return response.data;
};

import json
import hashlib
import hmac
import requests

# Replace with your API Key and Secret
api_key = 'your-api-key'
api_secret = 'your-api-secret'

# Function to create HMAC SHA-256 signature
def create_signature(secret, data):
    return hmac.new(secret.encode(), data.encode(), hashlib.sha256).hexdigest()

# Function to send a POST request
def send_post_request(url, body):
    raw = json.dumps(body, separators=(',', ':'), ensure_ascii=False)
    signature = create_signature(api_secret, raw)

    headers = {
        'X-TLP-APIKEY': api_key,
        'X-TLP-SIGNATURE': signature
    }

    response = requests.post(url, headers=headers, data=raw)
    return response.json()


send_post_request('https://domain.com/path', body = {"orderId":"UUID-order-id"})

# Function to send a GET request
def send_get_request(url, params):
    raw = '&'.join([f"{key}={value}" for key, value in params.items()])
    body_string = json.dumps(params, separators=(',', ':'), ensure_ascii=False)

    signature = create_signature(api_secret, body_string)

    headers = {
        'X-TLP-APIKEY': api_key,
        'X-TLP-SIGNATURE': signature
    }

    response = requests.get(f"{url}?{raw}", headers=headers)
    return response.json()

send_get_request('https://domain.com/path',  params = {"orderId":"UUID-order-id"})

const crypto = require('crypto');

// Function to send a POST request
const sendPostRequest = async (url, body) => {
    const raw = JSON.stringify(body);
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "Content-Type": "application/json",
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await fetch(url, {
        method: 'POST',
        headers: headers,
        body: raw,
    });
    return response.json();
};

// Function to send a GET request
const sendGetRequest = async (url, params) => {
    const raw = new URLSearchParams(params).toString();
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await fetch(`${url}?${raw}`, {
        method: 'GET',
        headers: headers,
    });
    return response.json();
};

By following these steps and using the provided code examples, you can securely sign your API requests to Tylt, ensuring the integrity and authenticity of your transactions.

Important Considerations

Keep Your Keys Secure: Always use environment variables or secure storage for sensitive information like your API Secret Key.
Regenerate Keys if Compromised: If your API keys are exposed or compromised, regenerate them immediately and update your secure storage.

PreviousGenerating API Keys NextImportant Concepts

Last updated 3 months ago