API integrations require not only access control, but also assurance of the authenticity and integrity of each request. To do this, we support HMAC signatures (Hash-based Message Authentication Code), as well as encryption of the body and parameters of requests, ensuring data protection even when transmitted over open networks.
Using HMAC, each party (client and server) confirms that the request was created by an authorized party, has not been changed along the path, and has encrypted content.
What is implemented
| Mechanism | Purpose and benefits |
|---|---|
| HMAC signatures | Sign each request with a private key |
| Integrity control | Verifying that content was not changed during upload |
| Request Body Encryption | Use AES or RSA to protect sensitive data |
| Signed with timestamp | Replay attack protection |
| Signing query parameters | Validation of query string and payload via hash function |
How does it work
1. The client generates a request body and adds a timestamp
2. Calculated by HMAC (e.g. SHA256) based on secret and content
3. The signature is added to the header (for example, 'X-Signature ')
4. Server verifies signature, timestamp, and valid IP
5. If the signature matches, the request is executed, otherwise it is rejected
Benefits for API integrations
Protection against substitution or distortion of the request
Ability to communicate securely without TLS (in closed networks)
Increase confidence in the data link
Platform or language specific independence
Flexible implementation for different types of customers: cash desks, gateways, providers
Where especially important
Integration with payment, cash or fiscal systems
APIs running in a multi-lease or partner environment
Systems with increased request verification requirements
Interaction between internal services without permanent authorization
HMAC signature and encryption is your API lock against counterfeiting and tampering. Such mechanisms allow you to build reliable integration even in conditions of increased security requirements.