Authentication
How to authenticate iPint API requests using HMAC-SHA384 signatures.
Authentication
iPint uses HMAC-SHA384 signatures to authenticate API requests. You'll receive an API key and an API secret when your account is activated.
Keep your API secret as secure as a private key or password. Never share it in any API request body or URL. Use it only to generate the HMAC signature on your server.
Headers
All authenticated requests require these three headers:
| Header | Description |
|---|---|
apikey | Your API key |
signature | HMAC-SHA384 signature (see below) |
nonce | Current Unix timestamp (seconds) |
Signature format
The signature is generated by concatenating /api/ + nonce + API path + request body (for POST), then hashing with HMAC-SHA384 using your API secret.
For GET requests:
signature = "/api/" + nonce + apiPathFor POST requests:
signature = "/api/" + nonce + apiPath + JSON.stringify(body)For GET requests, include query params in the apiPath (e.g. /invoice?id=123).
Do NOT include the body for GET requests.
Example code
JavaScript
const CryptoJS = require('crypto-js');
const request = require('request');
const apiKey = 'paste key here';
const apiSecret = 'paste secret here';
const apiPath = '/say'; // Example path
// const apiPath = '/say?id=123'; // Example path with query params
const nonce = (Date.now() * 1000).toString(); // Timestamp * 1000
const body = {}; // Field you may change depending on endpoint
// GET method — do not add body
let signature = '/api/' + nonce + apiPath;
// POST method — add body
// let signature = '/api/' + nonce + apiPath + JSON.stringify(body);
const sig = CryptoJS.HmacSHA384(signature, apiSecret).toString();
const options = {
url: 'https://api.ipint.io:8003' + apiPath,
headers: { 'nonce': nonce, 'apikey': apiKey, 'signature': sig },
body: body,
json: true
};
// GET
request(options, function (error, response, body) {
console.log('statusCode:', response && response.statusCode);
console.log('body:', body);
});
// POST
// request.post(options, (error, response, body) => {
// console.log(body);
// });Python
import hashlib
import hmac
import json
import requests
import time
BASE_URL = "https://api.ipint.io:8003" # mainnet
# BASE_URL = "https://api.ipint.io:8002" # testnet
API_KEY = "your ipint api key"
API_SECRET = "your ipint api secret"
class iPintClient:
def __init__(self, api_key=API_KEY, api_secret=API_SECRET, base_url=BASE_URL):
self.apikey = api_key
self.apisecret = api_secret
self.baseurl = base_url
def hmacsha384(self, message):
inp = message.encode()
secret = self.apisecret.encode()
digest_maker = hmac.new(secret, inp, hashlib.sha384)
return digest_maker.hexdigest()
def get_headers(self, api_path, body=None):
nonce = str(int(time.time()))
if body:
signature = "/api/{}{}{}".format(nonce, api_path, json.dumps(body))
else:
signature = "/api/{}{}".format(nonce, api_path)
sig = self.hmacsha384(signature)
headers = {
'nonce': nonce,
'apikey': self.apikey,
'signature': sig,
'content-type': "application/json"
}
return headers
def get_invoice(self, invoice_id):
api_path = '/invoice?id={}'.format(invoice_id)
url = self.baseurl + api_path
headers = self.get_headers(api_path)
res = requests.get(url, headers=headers)
return res.json()Java
Java code is available in the GitHub repository.
Production vs test credentials
- Test credentials — provided for integration testing on testnet. Email help@ipint.io to request test keys.
- Production credentials — sent to your registered email after account activation. Use these only when you're ready to go live.
Do not use demo/test API credentials in production. Use the final production API key and secret sent on your registered email address.
Security best practices
- Store secrets securely — use environment variables or a secrets manager
- Never expose the secret client-side — all signing happens on your server
- Use HTTPS — always send API requests over HTTPS
- Rotate keys if compromised — contact help@ipint.io
Next steps
- POST /checkout — create your first authenticated request
- GitHub examples — working code samples
- Go to Production — production checklist