Build Signature and Set Headers

This section explains how to generate a signature and set the required headers for authenticating requests to Xenith's APIs.

Get the current timestamp

Generate the current timestamp in RFC3339 format (UTC). Example:

var timestamp = new Date().toISOString();

Retrieve the request method and URI

Capture the HTTP method (e.g., GET, POST) and the request URI. Example:

var method = pm.request.method;
var uri = pm.request.url.getPathWithQuery();

Concatenate the method, URI, and timestamp

Combine these values, separated by newlines (\n), to create the signature payload.

Signature Flow:

var body = JSON.stringify(pm.request.body); // or equivalent
var signaturePayload = method + "\n" + uri + "\n" + timestamp + "\n" + body;

Examples of the Concatenated String

GET Request (No Body, Simple URI)

GET\n/v1/payins\n2025-02-28T12:34:56.789Z\n

GET Request (No Body, With Query Parameters)

GET\n/v1/payins?order=desc&limit=5\n2025-02-28T12:34:56.789Z\n

POST Request (With Body)

POST\n/v1/payins\n2025-02-28T12:34:56.789Z\n{"initiatedAmount":250000,"currency":"IDR","paymentMethod":"VIRTUAL_ACCOUNT","paymentChannel":"BSS.VA","referenceCode":"a1b2c3d4-e5f6-7890-abcd-ef1234567890","customerReference":"987654321","customerName":"Jane Smith","description":"Mocked payment for testing","callbackUrl":"https://mock-callback-url.com","redirectUrl":"https://your.mockserver.com/payment_confirm/9876543"}

Generate the signature

Use your secret key to create an HMAC SHA256 hash of the payload, then encode the hash in base64.

var hash = CryptoJS.HmacSHA256(signaturePayload, secretKey);
var signature = CryptoJS.enc.Base64.stringify(hash);

Set the required headers

Use the generated signature, timestamp, and your Access Key to set the following headers:

pm.request.headers.add({ key: "Xenith-Api-Key", value: yourAccessKey });
pm.request.headers.add({ key: "Xenith-Request-Signature", value: signature });
pm.request.headers.add({ key: "Xenith-Request-Timestamp", value: timestamp });

Best Practices

Generate a new signature for each API request to ensure security.
Always use HTTPS for API requests to protect data in transit.
Implement proper error handling for authentication failures.
Regularly rotate your Access and Secret keys as part of your security practice.
Never share your Secret Key or include it in client-side code.