BridgPay Docs

Canonical Request Format

The pipe-delimited strings fed into HMAC-SHA256 for HMAC v1 and HMAC v2 requests.

HMAC v1 canonical

METHOD | PATH | TIMESTAMP | BODY

Rules

  • Delimiter: a literal single pipe (|) with no surrounding whitespace.
  • METHOD: uppercased before joining (POST, not post).
  • PATH: the URL path only (e.g. /v1/payouts). Not the query string. v1 signing does not commit to query parameters, so requests with a non-empty query string are rejected. Endpoints that take query parameters require HMAC v2 signing.
  • TIMESTAMP: Unix epoch milliseconds as a string. The same string used in the x-timestamp header.
  • BODY:
    • For GET / DELETE / HEAD / OPTIONS: the empty string. Pass "" regardless of what the caller's HTTP body actually contains.
    • For everything else: the exact JSON bytes that go on the wire. Do not re-JSON.stringify after signing — whitespace and key ordering changes will break verification.

Example

For a POST /v1/payouts with body {"amount":"100.00","beneficiaryId":"abc"} and timestamp 1733740800000:

POST|/v1/payouts|1733740800000|{"amount":"100.00","beneficiaryId":"abc"}

That literal string is what gets HMAC'd.

HMAC v2 canonical

METHOD | HOST | PATH_AND_QUERY | API_KEY | TIMESTAMP | NONCE | SHA256_HEX(BODY)

Use HMAC v2 for all new integrations and for every request with query parameters.

HMAC v2 does not change the endpoint URL. The API path remains /v1/...; only the canonical string and headers change.

Rules:

  • METHOD: uppercased before joining.
  • HOST: request host as sent, lower-cased, including :port if present.
  • PATH_AND_QUERY: exact path and query string, e.g. /v1/payouts?limit=50&offset=0.
  • API_KEY: same value sent in x-api-key.
  • TIMESTAMP: Unix epoch milliseconds as a string.
  • NONCE: unique value per request; replays are rejected.
  • SHA256_HEX(BODY): SHA-256 hex digest of the exact request body string. For GET/DELETE, hash the empty string.

Example for GET /v1/payouts?limit=50&offset=0 on api.bridg.money:

GET|api.bridg.money|/v1/payouts?limit=50&offset=0|pub_live_xxx|1733740800000|550e8400-e29b-41d4-a716-446655440000|e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

On this page