Authentication
Cyrafa supports two authentication styles:
- API key with HMAC headers
- Bearer token or
x-access-token
For server-to-server integrations, API key with HMAC is the recommended approach. It gives you deterministic request signing and is the best fit for wallet, withdrawal, and checkout operations.
Recommended headers
Include these headers on signed API requests:
api-key: your issued API keytimestamp: a Unix timestamp generated at request timesignature: the HMAC SHA-256 signature for the canonical payload
Canonical payload
Build the signature payload in this exact format:
<timestamp>.<body>Rules:
- The request body must be compact JSON with no extra spaces or line breaks.
- The signed body must exactly match the body sent in the HTTP request.
- For
GETrequests or body-less requests, the body is an empty string.
Node.js example
import crypto from 'node:crypto'
const timestamp = Math.floor(Date.now() / 1000).toString()
const body = JSON.stringify({
walletId: '<WALLET_ID>',
address: '<DEST_ADDRESS>',
walletType: 'user',
amount: '125.50',
feePriority: 'medium',
gateway: 'cyrafa',
note: 'Treasury transfer'
})
const payload = `${timestamp}.${body}`
const signature = crypto
.createHmac('sha256', '<YOUR_API_SECRET>')
.update(payload)
.digest('hex')
console.log({ timestamp, body, signature })Signed GET request example
import crypto from 'node:crypto'
const timestamp = Math.floor(Date.now() / 1000).toString()
const body = ''
const payload = `${timestamp}.${body}`
const signature = crypto
.createHmac('sha256', '<YOUR_API_SECRET>')
.update(payload)
.digest('hex')
const headers = {
'api-key': '<YOUR_API_KEY>',
timestamp,
signature
}
console.log(headers)Bearer token and x-access-token
Some platform surfaces may also accept bearer-style auth. If your integration uses Authorization: Bearer <TOKEN> or x-access-token: <TOKEN>, confirm the exact scope and expiry behavior with the Cyrafa team before production use.
Last updated on