BridgPay Docs

Canonical Request Format

The pipe-delimited string fed into HMAC-SHA256 on every signed request.

The single source of truth for what bytes get signed:

METHOD | PATH | TIMESTAMP | BODY

Rules

  • Delimiter: a literal single pipe (|) with no surrounding whitespace.
  • METHOD: uppercased before joining (POST, not post).
  • PATH: the URL path only (e.g. /v1/payouts). Not the query string — v1 signing does not commit to query parameters. Endpoints that take query parameters require v2 signing.
  • TIMESTAMP: Unix epoch milliseconds as a string. The same string used in the x-timestamp header.
  • BODY:
    • For GET / DELETE / HEAD / OPTIONS: the empty string. Pass "" regardless of what the caller's HTTP body actually contains.
    • For everything else: the exact JSON bytes that go on the wire. Do not re-JSON.stringify after signing — whitespace and key ordering changes will break verification.

Example

For a POST /v1/payouts with body {"amount":"100.00","beneficiaryId":"abc"} and timestamp 1733740800000:

POST|/v1/payouts|1733740800000|{"amount":"100.00","beneficiaryId":"abc"}

That literal string is what gets HMAC'd.

Previous

Authentication Headers

Next

Generate Request Signature

On this page