Signing requests
Request Authentication
All requests should be signed using a HMAC256 algorithm and provided clientId and clientSecret.
How to get the signature of the request?
Generate a timestamp (Epoch Unix Timestamp) in milliseconds
Concatenate the timestamp and the endpoint that is called
{timestamp}:{endpoint}Decode the base64 encoded clientSecret
Compute the SHA256 hash of the concatenated string. Use decoded clientSecret as a key. Convert the result to base64
Add the clientId, signature, and timestamp to HTTP headers
The following pseudocode example demonstrates and explains how to sign a request
timestamp = CurrentTimestamp();
stringToSign = timestamp + ":" + endpoint;
signature = Base64 ( HMAC-SHA256 ( Base64-Decode ( clientSecret ), UTF8 ( concatenatedString ) ) );Request examples
The following examples send HTTP request to get price on-ramp API endpoint:
import crypto from 'crypto';
const BASE_URL = 'https://aten.fonbnk-services.com';
const ENDPOINT = '/api/pay-widget-merchant/price';
const CLIENT_ID = '';
const CLIENT_SECRET = '';
const generateSignature = ({
clientSecret,
timestamp,
endpoint,
}: {
clientSecret: string;
timestamp: string;
endpoint: string;
}) => {
let hmac = crypto.createHmac('sha256', Buffer.from(clientSecret, 'base64'));
let stringToSign = `${timestamp}:${endpoint}`;
hmac.update(stringToSign);
return hmac.digest('base64');
};
const main = async () => {
const timestamp = new Date().getTime();
const queryParams = new URLSearchParams({
country: 'NG',
amount: '10',
currency: 'usdc',
network: 'CELO',
asset: 'CUSD',
provider: 'bank_transfer',
});
const endpoint = `${ENDPOINT}?${queryParams.toString()}`;
const signature = generateSignature({
clientSecret: CLIENT_SECRET,
timestamp: timestamp.toString(),
endpoint,
});
const headers = {
'Content-Type': 'application/json',
'x-client-id': CLIENT_ID,
'x-timestamp': timestamp.toString(),
'x-signature': signature,
};
const response = await fetch(`${BASE_URL}${endpoint}`, {
method: 'GET',
headers,
});
const data = await response.json();
console.log(JSON.stringify(data, null, 2));
};
main().catch(console.error);
```python
import hmac
import base64
import time
import requests
from urllib.parse import urlencode
BASE_URL = 'https://aten.fonbnk-services.com'
ENDPOINT = '/api/pay-widget-merchant/price'
CLIENT_ID = ''
CLIENT_SECRET = ''
def pad_base64(base64_string):
return base64_string + '=' * (-len(base64_string) % 4)
def generate_signature(client_secret, timestamp, endpoint):
client_secret_padded = pad_base64(client_secret)
hmac_obj = hmac.new(base64.b64decode(client_secret_padded), f'{timestamp}:{endpoint}'.encode('utf-8'), 'sha256')
return base64.b64encode(hmac_obj.digest()).decode('utf-8')
def main():
timestamp = str(int(time.time() * 1000))
query_params = {
'country': 'NG',
'amount': '10',
'currency': 'usdc',
'network': 'CELO',
'asset': 'CUSD',
'provider': 'bank_transfer',
}
endpoint = f"{ENDPOINT}?{urlencode(query_params)}"
signature = generate_signature(CLIENT_SECRET, timestamp, endpoint)
headers = {
'Content-Type': 'application/json',
'x-client-id': CLIENT_ID,
'x-timestamp': timestamp,
'x-signature': signature,
}
response = requests.get(f"{BASE_URL}{endpoint}", headers=headers)
data = response.json()
print(data)
if __name__ == "__main__":
main()
```package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"strings"
"time"
)
const (
BASE_URL = "https://aten.fonbnk-services.com"
ENDPOINT = "/api/pay-widget-merchant/price"
CLIENT_ID = ""
CLIENT_SECRET = ""
)
func padBase64(base64String string) string {
return base64String + strings.Repeat("=", (4-len(base64String)%4)%4)
}
func generateSignature(clientSecret, timestamp, endpoint string) (string, error) {
clientSecretPadded := padBase64(clientSecret)
decodedSecret, err := base64.StdEncoding.DecodeString(clientSecretPadded)
if err != nil {
return "", err
}
message := fmt.Sprintf("%s:%s", timestamp, endpoint)
h := hmac.New(sha256.New, decodedSecret)
h.Write([]byte(message))
signature := base64.StdEncoding.EncodeToString(h.Sum(nil))
return signature, nil
}
func main() {
timestamp := fmt.Sprintf("%d", time.Now().UnixNano()/int64(time.Millisecond))
queryParams := url.Values{
"country": {"NG"},
"amount": {"10"},
"currency": {"usdc"},
"network": {"CELO"},
"asset": {"CUSD"},
"provider": {"bank_transfer"},
}
endpoint := fmt.Sprintf("%s?%s", ENDPOINT, queryParams.Encode())
signature, err := generateSignature(CLIENT_SECRET, timestamp, endpoint)
if err != nil {
fmt.Println("Error generating signature:", err)
return
}
client := &http.Client{}
req, err := http.NewRequest("GET", BASE_URL+endpoint, nil)
if err != nil {
fmt.Println("Error creating request:", err)
return
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("x-client-id", CLIENT_ID)
req.Header.Set("x-timestamp", timestamp)
req.Header.Set("x-signature", signature)
resp, err := client.Do(req)
if err != nil {
fmt.Println("Error making request:", err)
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Println("Error reading response body:", err)
return
}
var data map[string]interface{}
if err := json.Unmarshal(body, &data); err != nil {
fmt.Println("Error unmarshalling response:", err)
return
}
fmt.Println(data)
}
<?php
define('BASE_URL', 'https://aten.fonbnk-services.com');
define('ENDPOINT', '/api/pay-widget-merchant/price');
define('CLIENT_ID', '');
define('CLIENT_SECRET', '');
function pad_base64($base64_string) {
return $base64_string . str_repeat('=', (4 - strlen($base64_string) % 4) % 4);
}
function generate_signature($client_secret, $timestamp, $endpoint) {
$client_secret_padded = pad_base64($client_secret);
$hmac = hash_hmac('sha256', "$timestamp:$endpoint", base64_decode($client_secret_padded), true);
return base64_encode($hmac);
}
function main() {
$timestamp = (string) round(microtime(true) * 1000);
$query_params = [
'country' => 'NG',
'amount' => '10',
'currency' => 'usdc',
'network' => 'CELO',
'asset' => 'CUSD',
'provider' => 'bank_transfer',
];
$endpoint = ENDPOINT . '?' . http_build_query($query_params);
$signature = generate_signature(CLIENT_SECRET, $timestamp, $endpoint);
$headers = [
'Content-Type: application/json',
'x-client-id: ' . CLIENT_ID,
'x-timestamp: ' . $timestamp,
'x-signature: ' . $signature,
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, BASE_URL . $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$response = curl_exec($ch);
curl_close($ch);
$data = json_decode($response, true);
print_r($data);
}
main();
?>import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.Scanner;
public class Main {
private static final String BASE_URL = "https://aten.fonbnk-services.com";
private static final String ENDPOINT = "/api/pay-widget-merchant/price";
private static final String CLIENT_ID = "";
private static final String CLIENT_SECRET = "";
public static void main(String[] args) throws Exception {
long timestamp = System.currentTimeMillis();
Map<String, String> queryParams = new HashMap<>();
queryParams.put("country", "NG");
queryParams.put("amount", "10");
queryParams.put("currency", "usdc");
queryParams.put("network", "CELO");
queryParams.put("asset", "CUSD");
queryParams.put("provider", "bank_transfer");
String endpoint = ENDPOINT + "?" + getQuery(queryParams);
String signature = generateSignature(CLIENT_SECRET, String.valueOf(timestamp), endpoint);
URL url = new URL(BASE_URL + endpoint);
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("Content-Type", "application/json");
connection.setRequestProperty("x-client-id", CLIENT_ID);
connection.setRequestProperty("x-timestamp", String.valueOf(timestamp));
connection.setRequestProperty("x-signature", signature);
Scanner scanner = new Scanner(connection.getInputStream());
String response = scanner.useDelimiter("\\A").next();
System.out.println(response);
scanner.close();
}
private static String padBase64(String base64String) {
return base64String + "=".repeat((4 - base64String.length() % 4) % 4);
}
private static String generateSignature(String clientSecret, String timestamp, String endpoint) throws Exception {
String clientSecretPadded = padBase64(clientSecret);
SecretKeySpec secretKeySpec = new SecretKeySpec(Base64.getDecoder().decode(clientSecretPadded), "HmacSHA256");
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(secretKeySpec);
String data = timestamp + ":" + endpoint;
byte[] hmacBytes = mac.doFinal(data.getBytes(StandardCharsets.UTF_8));
return Base64.getEncoder().encodeToString(hmacBytes);
}
private static String getQuery(Map<String, String> params) throws Exception {
StringBuilder result = new StringBuilder();
for (Map.Entry<String, String> entry : params.entrySet()) {
if (result.length() > 0) {
result.append("&");
}
result.append(URLEncoder.encode(entry.getKey(), "UTF-8"));
result.append("=");
result.append(URLEncoder.encode(entry.getValue(), "UTF-8"));
}
return result.toString();
}
}Last updated