Overview
The CommerceCash Payment API uses HMAC-SHA256 request signing to authenticate and verify the integrity of payment initiation requests. Each merchant is issued a unique Secret Key which is used to generate thecc-signature header.
Request Header
Include the following header on every Initiate Payment call:| Header | Type | Required | Description |
|---|---|---|---|
cc-signature | string | ✅ Yes (Initiate) | HMAC-SHA256 of the raw JSON request body, Base64-encoded |
Signature Generation
Algorithm
Pseudocode:Rules
Serialise the request body to camelCase JSON
The signing input is the complete raw JSON request body sent in the HTTP request, serialised using camelCase property names.
Compute HMAC-SHA256
Compute HMAC-SHA256 using:
- Key: your merchant Secret Key (UTF-8 encoded bytes)
- Data: the raw JSON string from Step 1 (UTF-8 encoded bytes)
Code Examples
Error Responses
| Scenario | HTTP Status | errorCode | message |
|---|---|---|---|
cc-signature header is invalid | 400 | INVALID_SIGNATURE | "Invalid request signature" |
| Merchant secret key not configured | 400 | INVALID_SIGNATURE | "Signature secret key not configured for merchant: {merchantId}" |
Example 400 Response
Security Notes
Constant-time comparison
Constant-time comparison
The server compares signatures using
CryptographicOperations.FixedTimeEquals, which prevents timing-based side-channel attacks. Do not attempt to probe the signature by varying bytes.Secret key storage
Secret key storage
Store your Secret Key in a secrets manager or environment variable. Never hard-code it in client-side code or commit it to source control.
Body integrity
Body integrity
Because the signature is computed over the full request body, any modification to the payload in transit will cause signature validation to fail, protecting against tampering.