Request Signing

Most POST endpoints require a cryptographic signature to verify the integrity of the request body. This signature is computed using HMAC-SHA256 and sent in the x-signature-key header.

How it works

Serialize your request body as JSON using camelCase property names
Compute an HMAC-SHA256 hash of the JSON string, using your Public Key (Base64-decoded) as the secret
Base64-encode the resulting hash
Send it in the x-signature-key header

Code examples

Node.js

const crypto = require("crypto");

function generateSignature(requestBody, publicKey) {
  const jsonBody = JSON.stringify(requestBody);
  const keyBuffer = Buffer.from(publicKey, "base64");
  const hmac = crypto.createHmac("sha256", keyBuffer);
  hmac.update(jsonBody);
  return hmac.digest("base64");
}

// Usage
const body = {
  narration: "Payment for order #123",
  amount: 5000,
  destinationAccountNumber: "0123456789",
  destinationBankCode: "000013",
  destinationAccountName: "John Doe",
  phoneNumber: "08012345678"
};

const signature = generateSignature(body, "your_public_key_here");

Python

import hmac
import hashlib
import base64
import json

def generate_signature(request_body: dict, public_key: str) -> str:
    json_body = json.dumps(request_body, separators=(",", ":"))
    key_bytes = base64.b64decode(public_key)
    signature = hmac.new(key_bytes, json_body.encode("utf-8"), hashlib.sha256)
    return base64.b64encode(signature.digest()).decode("utf-8")

C#

using System.Security.Cryptography;
using System.Text;
using System.Text.Json;

public static string GenerateSignature(object requestBody, string publicKey)
{
    var json = JsonSerializer.Serialize(requestBody, new JsonSerializerOptions
    {
        PropertyNamingPolicy = JsonNamingPolicy.CamelCase
    });

    var keyBytes = Convert.FromBase64String(publicKey);
    using var hmac = new HMACSHA256(keyBytes);
    var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(json));
    return Convert.ToBase64String(hash);
}

PHP

function generateSignature($requestBody, $publicKey) {
    $jsonBody = json_encode($requestBody);
    $keyBytes = base64_decode($publicKey);
    $hash = hash_hmac('sha256', $jsonBody, $keyBytes, true);
    return base64_encode($hash);
}

Full request example

curl -X POST "https://api-dev.usenumero.com/numeroaccount/api/v1/business/single" \
  -H "Content-Type: application/json" \
  -H "x-api-key: your_api_key_here" \
  -H "x-signature-key: 4KkwgCUsJ5mDSYsdpK4YKHEfXXboTw0yw4rnV22ReX8=" \
  -d '{
    "narration": "Payment for order #123",
    "amount": 5000,
    "destinationAccountNumber": "0123456789",
    "destinationBankCode": "000013",
    "destinationAccountName": "John Doe",
    "phoneNumber": "08012345678"
  }'

Testing signatures

Use the signature generation helper endpoint to verify your implementation during development:

POST /api/v1/business/generatesignature?publickey=your_public_key

Send any request body and this endpoint will return the correct signature. Compare it with your locally generated signature to confirm your implementation is correct.

Note: This endpoint does not require a signature itself. It is a development tool only.

Important notes

Property names in the JSON body must be camelCase — the signature is computed over the serialized JSON exactly as sent
The Public Key must be Base64-decoded before use as the HMAC secret
Ensure your JSON serialization produces consistent output (no extra whitespace, consistent key ordering)

​How it works

​Code examples

​Node.js

​Python

​C#

​PHP

​Full request example

​Testing signatures

​Important notes