HMAC signatures and request encryption
Using HMAC, each party (client and server) confirms that the request was created by an authorized party, has not been changed along the path, and has encrypted content.
What is implemented
| Mechanism | Purpose and Benefits |
|---|---|
| HMAC signatures | Sign each request with a private key |
| Consistency Check | Verify that content was not changed during upload |
| Encrypt request body | Use AES or RSA to protect sensitive data |
| Timestamp signature | replay attack protection |
| Signature of query parameters | Validation of query string and payload via hash function |
How does it work
1. The client generates a request body and adds a timestamp
2. Calculated by HMAC (e.g. SHA256) based on secret and content
3. The signature is added to the header (for example, 'X-Signature ')
4. Server verifies signature, timestamp, and valid IP
5. If the signature matches, the request is executed, otherwise it is rejected
Benefits for API integrations
Protection against substitution or distortion of the request
Ability to communicate securely without TLS (in closed networks)
Increase confidence in the data link
Platform or language specific independence
Flexible implementation for different types of customers: cash desks, gateways, providers
Where especially important
Integration with payment, cash or fiscal systems
APIs running in a multi-lease or partner environment
Systems with increased request verification requirements
Interaction between internal services without permanent authorization
HMAC signature and encryption is your API lock against counterfeiting and tampering. Such mechanisms allow you to build reliable integration even in conditions of increased security requirements.
Contact Us
Fill out the form below and we’ll get back to you soon.