Authentication

Paynetics API uses HMAC authentication methodology.

To authenticate your API request to Paynetics you need to provide the following elements in the header of your request:

x-api-key string required

Key provided by Paynetics.

x-timestamp integer required

x-hash string required

HMAC SHA-256. Use your secret key as the hash vector. The signed body is formed by concatenating: API key + timestamp + operation + content body (required for POST and PUT requests).

Body content whitespaces are omitted when comparing hashes.

{ " name ": " Paynetics " } is normalised to {"name":"Paynetics"} before signing.

Requests are valid for 15 seconds after hash generation.

If your request timestamp is 1591096701 and the server's clock reads 1591096720, the request will not be authorised.

To exchange API key and secret, Paynetics requires your public PGP key.

Base URL · Production

GET https://api.paynetics.net

Base URL · Sandbox

GET https://api.paynetics.io

Secret key

Provided by Paynetics. Keys must be kept secure to ensure your data stays safe — never share them publicly.

Hash generation examples

GET request

HMAC-SHA256, signed with your API secret:

07364675-5b2a-4d35-bd2c-b93e696aa53f1625399941cards_list

POST request

HMAC-SHA256, signed with your API secret:

07364675-5b2a-4d35-bd2c-b93e696aa53f1625399941init_web{"openBankAccount":true,"issueCard":true}

PUT request

HMAC-SHA256, signed with your API secret:

07364675-5b2a-4d35-bd2c-b93e696aa53f1625399941init_web{"name":"Paynetics"}