Canonical Request Format
The pipe-delimited strings fed into HMAC-SHA256 for HMAC v1 and HMAC v2 requests.
HMAC v1 canonical
METHOD | PATH | TIMESTAMP | BODY
Rules
- Delimiter: a literal single pipe (
|) with no surrounding whitespace. - METHOD: uppercased before joining (
POST, notpost). - PATH: the URL path only (e.g.
/v1/payouts). Not the query string. v1 signing does not commit to query parameters, so requests with a non-empty query string are rejected. Endpoints that take query parameters require HMAC v2 signing. - TIMESTAMP: Unix epoch milliseconds as a string. The same string used in
the
x-timestampheader. - BODY:
- For
GET/DELETE/HEAD/OPTIONS: the empty string. Pass""regardless of what the caller's HTTP body actually contains. - For everything else: the exact JSON bytes that go on the wire. Do not
re-
JSON.stringifyafter signing — whitespace and key ordering changes will break verification.
- For
Example
For a POST /v1/payouts with body {"amount":"100.00","beneficiaryId":"abc"}
and timestamp 1733740800000:
POST|/v1/payouts|1733740800000|{"amount":"100.00","beneficiaryId":"abc"}
That literal string is what gets HMAC'd.
HMAC v2 canonical
METHOD | HOST | PATH_AND_QUERY | API_KEY | TIMESTAMP | NONCE | SHA256_HEX(BODY)
Use HMAC v2 for all new integrations and for every request with query parameters.
HMAC v2 does not change the endpoint URL. The API path remains /v1/...; only
the canonical string and headers change.
Rules:
- METHOD: uppercased before joining.
- HOST: request host as sent, lower-cased, including
:portif present. - PATH_AND_QUERY: exact path and query string, e.g.
/v1/payouts?limit=50&offset=0. - API_KEY: same value sent in
x-api-key. - TIMESTAMP: Unix epoch milliseconds as a string.
- NONCE: unique value per request; replays are rejected.
- SHA256_HEX(BODY): SHA-256 hex digest of the exact request body string.
For
GET/DELETE, hash the empty string.
Example for GET /v1/payouts?limit=50&offset=0 on api.bridg.money:
GET|api.bridg.money|/v1/payouts?limit=50&offset=0|pub_live_xxx|1733740800000|550e8400-e29b-41d4-a716-446655440000|e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855