# Signing API Payloads

### **Signing API Payloads**

To ensure the security and integrity of your API requests to Tylt, each payload must be signed using your API Secret Key. This process generates a unique signature that verifies the authenticity of the request.

### **Signing a Request**

The following steps outline how to sign your API requests:

1. **Retrieve Your API Keys**

   You need your API Key and API Secret Key, which should be stored securely. Ensure these keys are kept confidential and are not exposed in client-side code.
2. **Generate the Signature**

   You will create a signature using HMAC SHA-256 encryption. This signature will be included in the headers of your API requests.

### **Example Codes**

Here’s how you can sign requests using different programming languages:

{% tabs %}
{% tab title="Common" %}

```javascript
// Common function to create HMAC SHA-256 signature
const createSignature = (secret, data) => {
    return crypto.createHmac('sha256', secret)
                 .update(data)
                 .digest('hex');
};

```

{% endtab %}

{% tab title="Node JS" %}

```javascript
const axios = require('axios');
const crypto = require('crypto');

// Replace with your API Key and Secret
const apiKey = 'your-api-key';
const apiSecret = 'your-api-secret';

// Function to send a POST request
const sendPostRequest = async (url, body) => {
    const raw = JSON.stringify(body);
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await axios.post(url, body, { headers });
    return response.data;
};

// Function to send a GET request
const sendGetRequest = async (url, params) => {
    const raw = new URLSearchParams(params).toString();

    const signature = createSignature(apiSecret, JSON.stringify(params));

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await axios.get(`${url}?${raw}`, { headers });
    return response.data;
};

```

{% endtab %}

{% tab title="Python" %}

```python
import json
import hashlib
import hmac
import requests

# Replace with your API Key and Secret
api_key = 'your-api-key'
api_secret = 'your-api-secret'

# Function to create HMAC SHA-256 signature
def create_signature(secret, data):
    return hmac.new(secret.encode(), data.encode(), hashlib.sha256).hexdigest()

# Function to send a POST request
def send_post_request(url, body):
    raw = json.dumps(body, separators=(',', ':'), ensure_ascii=False)
    signature = create_signature(api_secret, raw)

    headers = {
        'X-TLP-APIKEY': api_key,
        'X-TLP-SIGNATURE': signature
    }

    response = requests.post(url, headers=headers, data=raw)
    return response.json()


send_post_request('https://domain.com/path', body = {"orderId":"UUID-order-id"})

# Function to send a GET request
def send_get_request(url, params):
    raw = '&'.join([f"{key}={value}" for key, value in params.items()])
    body_string = json.dumps(params, separators=(',', ':'), ensure_ascii=False)

    signature = create_signature(api_secret, body_string)

    headers = {
        'X-TLP-APIKEY': api_key,
        'X-TLP-SIGNATURE': signature
    }

    response = requests.get(f"{url}?{raw}", headers=headers)
    return response.json()

send_get_request('https://domain.com/path',  params = {"orderId":"UUID-order-id"})

```

{% endtab %}

{% tab title="JavaScript" %}

```javascript
const crypto = require('crypto');

// Function to send a POST request
const sendPostRequest = async (url, body) => {
    const raw = JSON.stringify(body);
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "Content-Type": "application/json",
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await fetch(url, {
        method: 'POST',
        headers: headers,
        body: raw,
    });
    return response.json();
};

// Function to send a GET request
const sendGetRequest = async (url, params) => {
    const raw = new URLSearchParams(params).toString();
    const signature = createSignature(apiSecret, raw);

    const headers = {
        "X-TLP-APIKEY": apiKey,
        "X-TLP-SIGNATURE": signature
    };

    const response = await fetch(`${url}?${raw}`, {
        method: 'GET',
        headers: headers,
    });
    return response.json();
};

```

{% endtab %}
{% endtabs %}

By following these steps and using the provided code examples, you can securely sign your API requests to Tylt, ensuring the integrity and authenticity of your transactions.

{% hint style="info" %}
**Important Considerations**

* **Keep Your Keys Secure**: Always use environment variables or secure storage for sensitive information like your API Secret Key.
* **Regenerate Keys if Compromised**: If your API keys are exposed or compromised, regenerate them immediately and update your secure storage.
  {% endhint %}