Skip to main content

Authentication

The new Pago46 Core API uses a security scheme based on HMAC SHA-256 to guarantee the integrity and authenticity of each transaction.

This mechanism ensures that whoever sends the request possesses the correct credentials and that the message has not been altered en route nor is it a repetition of an old request.

Mandatory Headers

Every HTTP request you make to our API must include the following headers:

HeaderTypeDescription
Provider-KeyStringYour unique provider identifier (API Key).
Message-DateTimestampUnix Timestamp (floating point seconds or milliseconds).
Message-HashStringThe hexadecimal result of the calculated HMAC signature.
Important

The server will validate that the difference between the sent Message-Date and the current server time is not greater than 24 hours. If the time exceeds this range, the request will be rejected to prevent replay attacks.

Signature Algorithm

To generate a valid Message-Hash, you must strictly follow the algorithm below to construct the signature string.

1. String Construction (String to Sign)

Unlike previous versions, this flow does not require sorting parameters alphabetically. The string is constructed by concatenating the following values separated by colons (:):

  1. Provider Key
  2. Message Date (The same value sent in the header)
  3. HTTP Method (E.g., POST, GET)
  4. Path (The resource path, e.g., /api/v1/payments)
  5. Body (The raw body of the request in UTF-8)

Format:

PROVIDER_KEY:MESSAGE_DATE:METHOD:PATH:BODY
Note on Body

If the request is GET and has no body, the BODY value must be an empty string. If it is a POST with JSON, make sure to use the exact JSON string you will send in the request, without extra spaces or modifications.

2. Hash Generation

Once the string is built, you must sign it using:

  • Algorithm: HMAC SHA-256
  • Secret: Your Provider Secret (provided by Pago46)
  • Message: The string built in step 1.
  • Output: Hexdigest (hexadecimal string).

Implementation Examples

Below, we present how to generate this signature in different languages.

import hmac
import hashlib
import time
import requests
import json

def send_authenticated_request(provider_key, provider_secret, method, path, body_dict=None):
    # 1. Prepare data
    host = "[https://api.pago46.com](https://api.pago46.com)"
    timestamp = str(time.time()) # Current Timestamp (float as string)
    
    # If there is a body, convert to JSON string, otherwise, it is empty
    body_str = json.dumps(body_dict) if body_dict else ""
    
    # 2. Build the signature string (IMPORTANT: Separator is ":")
    # Format: KEY:DATE:METHOD:PATH:BODY
    string_to_sign = f"{provider_key}:{timestamp}:{method}:{path}:{body_str}"
    
    # 3. Calculate HMAC SHA-256
    calculated_hmac = hmac.new(
        provider_secret.encode("utf-8"),
        string_to_sign.encode("utf-8"),
        hashlib.sha256
    ).hexdigest()
    
    # 4. Send Request
    headers = {
        "Provider-Key": provider_key,
        "Message-Date": timestamp,
        "Message-Hash": calculated_hmac,
        "Content-Type": "application/json"
    }
    
    response = requests.request(
        method=method,
        url=f"{host}{path}",
        headers=headers,
        data=body_str
    )
    
    return response

# Usage
response = send_authenticated_request(
    provider_key="PK_12345",
    provider_secret="SECRET_XYZ",
    method="POST",
    path="/api/v1/payments/",
    body_dict={"amount": 100, "currency": "CLP"}
)
print(response.status_code)

Common Errors

HTTP CodeMessageProbable Cause
403 ForbiddenInvalid authentication credentialsThe Provider-Key header does not exist or was not found in the database.
403 ForbiddenPossible replay attackThe Message-Date has a difference of more than 24 hours with the server.
403 ForbiddenHash mismatchThe signature does not match. Verify that the separator is :, that the body is exact, and that the path is correct.