Authentication

Every request to the AFIPAY Merchant API must be authenticated to ensure the security and integrity of your data. The API requires two essential headers to be included with every request:

  • API-KEY: Your unique account-level API key.
  • X-HMAC: An HMAC signature generated using your secret key and the request body.

API Key Authentication

To authenticate using your API key, include the API-KEY header in your HTTP request. For example, using cURL:

Example request with API key

curl https://api-v2.afipay.io/v2/payment \
  -H "API-KEY: YOUR_API_KEY"

HMAC Signature Authentication

In addition to the API key, each request must include an HMAC signature in the X-HMAC header. This signature is generated using your secret key and the content of the request body. This mechanism ensures that the request is genuine and has not been tampered with.

Our API uses the SHA-256 HMAC algorithm. To generate the signature, apply the HMAC-SHA256 algorithm to the raw request body using your secret key, then hex-encode the result. The server will compute its own HMAC signature using the same method and compare it with the one you provide.

For example, to generate and include the HMAC signature in a cURL request, you might do the following:

Example request API_KEY and X-HMAC

curl https://api-v2.afipay.io/v2/payment \
  -H "API-KEY: YOUR_API_KEY" \
  -H "X-HMAC: CALCULATED_SIGNATURE" \
  -d '{"amount": "1000.12345678", "asset": {"short": "USDT", "network": "tron"}, "customer": {"id": 12312312, "name": "John Dou", "email": "[email protected]"}, "invoice": "INV-001", "checkoutUrl": "https://abc.com/orders/40113049"}'

Important:

Always generate a new HMAC signature for each request using your secret key. Never expose your API key or secret key in publicly accessible code.

Was this page helpful?