Technical GuidesWelcome

Request Signing

All requests to the Afterpay API must be signed and have a valid signature passed in the X-Afterpay-Request-Signature header. To generate the signature:

  1. Construct the following string: {path}\n{X-Afterpay-Request-Date}\n{body}

    • {path} is the remainder of the URL following the host, including the query string (if present)
    • {X-Afterpay-Request-Date} is an epoch timestamp set to the current time. No more than 60 seconds should elapse between this timestamp and the time the request is made
    • {body} is the body of the API request (this should be skipped if there is no request body)

  2. Create an HMAC-SHA256 cryptographic hash where the text to hash is the string you created in step 1. The secret is the secret value associated with the API key being used to make the request.

Example Authentication Headers

1{
2    "method": "post",
3    "url": "https://agencyapi.sandbox.afterpay.com/v1/onboardings/",
4    "headers": {
5        "X-Afterpay-Request-Signature": "asasGCZUvApDuo3sIA=",
6        "X-Afterpay-Request-Date": 1706263066,
7        "X-Afterpay-Request-Apikey": "AB***CD"
8    }
9}

Request Signing Code Example

1var moment = require("moment")
2var sharedSecret = pm.environment.get("agencySharedSecret");
3
4var requestTimestamp = moment(new Date().toUTCString()).valueOf() / 1000;
5var requestURI = pm.environment.values.substitute(pm.request.url, null, false).toString();
6var formatMessage = requestURI + "\n" + requestTimestamp;
7
8var hmac = "";
9
10if (!pm.request.body.isEmpty()) {
11  formatMessage = formatMessage + "\n" + pm.request.body;
12}
13
14var message = CryptoJS.enc.Utf8.parse(formatMessage);
15var secretBytes = CryptoJS.enc.Utf8.parse(sharedSecret);
16var signatureBytes = CryptoJS.HmacSHA256(message, secretBytes);
17var hmac = CryptoJS.enc.Base64.stringify(signatureBytes);
1val timestamp = (System.currentTimeMillis() / 1000).toString()
2var message = "$url\n$timestamp"
3
4payload?.let { message += "\n$it" }
5
6val messageBytes = message.toByteArray(Charsets.UTF_8)
7val secretBytes = config.getSharedSecret().toByteArray(Charsets.UTF_8)
8
9val secretKeySpec = SecretKeySpec(secretBytes, "HmacSHA256")
10
11val mac = Mac.getInstance("HmacSHA256")
12mac.init(secretKeySpec)
13
14val signatureBytes = mac.doFinal(messageBytes)
15val hmac = Base64.getEncoder().encodeToString(signatureBytes)