Signing and Verification
This section describes the signing rules shared by merchant requests and platform callbacks.
Request headers
| Header | Required | Description |
|---|---|---|
X-Merchant-Id | Yes | Merchant primary ID |
X-Timestamp | Yes | Unix timestamp (milliseconds) |
X-Nonce | Yes | 32-char random string |
X-Sign | Yes | HMAC-SHA256 signature (Base64) |
HTTP header names are case-insensitive.
Signature algorithm
Signature string in fixed order (delimited by |):
timestamp|nonce|rawBodySignature calculation:
signature = Base64(HMAC_SHA256(SignData, merchant_secret))Example test key: sk_test_9f3b8a2d7c1e4f6a8b0c2d4e6f8a1b3c
rawBody is the exact JSON string sent in the request. Do not reformat or reorder fields.
Anti-replay requirements
- Timestamp validity: 5 minutes
- Nonce must be unique within 5 minutes
Example code
- Java: View example
- Go: View example
- Node.js: View example
- PHP: View example
- Python: View example