Authentication - V2

The EllyPay API V2 uses a key pair (API and Secret Keys) for authentication. To make an authenticated request to our API, you need to pass 4 (four) custom headers as described in this section.

Obtain the Keys

The API and Secret keys are shared in the email that's sent to you when your account is approved. These keys should sent as headers with the header names; ApiKey and SecretKey

Please ensure that your keys are stored safely and not shared with the public. In the event your keys are compromised, please contact us immediately for assistance. Please equally note the all requests will be from whitelisted IP(s) only.

Generate Request Signature

The third header is the request signature with the header name; Signature and it is generated by concatenating the API Key and the current timestamp in milliseconds. The concatenation is in the format; timestamp:ApiKey and below is the description of how the signature is generated. The final value sent in the signature header takes the format t=timestamp,s=hmac_hash

<?php
function generateSignature() {
    $apiKey = "EPYPUB-****";
    $secretKey = "EPYSEC-****";
    $milliseconds = microtime(true) * 1000; /*get current timestamp in milliseconds*/

    $stringToSign = $milliseconds.":".$apiKey;
    $hash = hash_hmac('sha256', $stringToSign, $secretKey, false);
    
    return "t=".$milliseconds.",s=".$hash;
}
?>

const crypto = require('crypto');
function generateSignature() {
    const apiKey = "EPYPUB-****";
    const secretKey = "EPYSEC-****";
    const currentTime = new Date().getTime(); /*get current timestamp in milliseconds*/
    
    const stringToSign = `${currentTime.toString()}:${apiKey}`;
    const hash = crypto.createHmac("sha256", secretKey).update(stringToSign).digest("hex");
    
    return `t=${currentTime.toString()},s=${hash}`;
}

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public static String generateSignature() throws NoSuchAlgorithmException, InvalidKeyException {
    String apiKey = "EPYPUB-****";
    String secretKey = "EPYSEC-****";

    // Get the current timestamp in milliseconds
    long currentTimeMillis = System.currentTimeMillis();
    String currentTime = Long.toString(currentTimeMillis);

    String stringToSign = currentTime + ":" + apiKey;

    // Convert the stringToSign and key to bytes
    byte[] messageBytes = stringToSign.getBytes();
    byte[] keyBytes = secretKey.getBytes();

    // Create a SecretKeySpec object with the key
    SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "HmacSHA256");

    // Create a Mac object with the HmacSHA256 algorithm
    Mac mac = Mac.getInstance("HmacSHA256");

    // Initialize the Mac object with the SecretKeySpec
    mac.init(secretKeySpec);

    // Compute the HMAC
    byte[] hmac = mac.doFinal(messageBytes);

    // Convert the HMAC to a hexadecimal string
    StringBuilder hexString = new StringBuilder();
    for (byte b : hmac) {
      hexString.append(String.format("%02x", b));
    }

    return "t=" + currentTime + ",s=" + hexString.toString();
  }

using System;
using System.Security.Cryptography;
using System.Text;

public static string GenerateSignature()
{
    const string apiKey = "EPYPUB-****";
    const string secretKey = "EPYSEC-****";

    // Get the current timestamp in milliseconds
    long currentTimeMillis = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds();
    string currentTime = currentTimeMillis.ToString();

    string stringToSign = $"{currentTime}:{apiKey}";

    // Convert the stringToSign and key to bytes
    byte[] messageBytes = Encoding.UTF8.GetBytes(stringToSign);
    byte[] keyBytes = Encoding.UTF8.GetBytes(secretKey);

    // Create a SecretKeySpec object with the key
    using var secretKeySpec = new HMACSHA256(keyBytes);

    // Compute the HMAC
    byte[] hmac = secretKeySpec.ComputeHash(messageBytes);

    // Convert the HMAC to a hexadecimal string
    StringBuilder hexString = new StringBuilder();
    foreach (byte b in hmac)
    {
        hexString.AppendFormat("{0:x2}", b);
    }

    return $"t={currentTime},s={hexString}";
}

import hmac
import hashlib
import time

API_KEY = "EPYPUB-****"
SECRET_KEY = "EPYSEC-****"

def generate_signature():
    current_time = int(time.time() * 1000)
    string_to_sign = f"{current_time}:{API_KEY}"

    message_bytes = string_to_sign.encode("utf-8")
    key_bytes = SECRET_KEY.encode("utf-8")

    hmac_digest = hmac.digest(key_bytes, message_bytes, hashlib.sha256)
    hex_string = hmac_digest.hex()

    return f"t={current_time},s={hex_string}"

require 'openssl'

API_KEY = 'EPYPUB-****'
SECRET_KEY = 'EPYSEC-****'

def generate_signature
  current_time = Time.now.utc.to_i * 1000
  string_to_sign = "#{current_time}:#{API_KEY}"

  message_bytes = string_to_sign.encode('utf-8')
  key_bytes = SECRET_KEY.encode('utf-8')

  hmac = OpenSSL::HMAC.digest('sha256', key_bytes, message_bytes)
  hex_string = hmac.unpack1('H*')

  "t=#{current_time},s=#{hex_string}"
end

For V2 of the API to behave as expected, the fourth mandatory parameter X-API-Version needs to be passed and with the value as 2. When this header is omitted completely, the API will default to the V1 (old) authenticaiton requirements. Please also note that a value greater than 2 will not be accepted unless further improvements allow it so.

Request Headers

For all the API requests on V2, the following headers are required for the requests to succeed. These headers are obtained as described above.

PreviousAuthentication NextSandbox Test Accounts

Last updated 11 months ago