Authentication Frequently Asked Questions
To register a webhook URL, do I need one API Key and Secret per merchant?
Yes. API Key and Secret are unique per merchant. Each merchant must have their own credentials. You can reuse the same webhook URL if your system can identify the merchant in the payload.
How should I build the authorization header?
Use the format API_KEY:NONCE:SIGNATURE. NONCE = unique value (e.g., epoch timestamp in ms).
SIGNATURE = HMAC-SHA256 of ${NONCE}${method}${path}${payload}.
How should I handle idempotency?
Send the header Idempotency-Key with every POST request. Must be unique per operation. If the same key is reused, the API returns the original response instead of creating a new transaction.