🔐Auth

Scenarios:

  1. Merchant calls Xcash API to create an invoice.

  2. Xcash sends invoice notification to the merchant's Webhook URL.

1 Request Header Conventions

Header
Meaning
Required
Type
Notes

XC-Appid

Project AppID

Yes

string

Specifies the project

XC-Nonce

16-64 character random string

Yes

string

Prevents replay attacks, ensures idempotency

XC-Timestamp

Unix timestamp (seconds)

Yes

string

Server requires within ±60 seconds of current time

XC-Signature

Signature string

Yes

string

HMAC-SHA256 result (hex lowercase)

Content-Type

application/json

Yes

string

Requests/notifications are UTF-8 encoded JSON strings

2 Signature Algorithm

  1. Construct message string: message = nonce + timestamp + request_body.

    • request_body is the JSON string of the request body.

    • Keep JSON serialization consistent (recommended to use compact mode: no extra spaces or line breaks).

    • hmac_key is obtained from the backend project management section.

  2. Calculate using HMAC-SHA256: signature = HMAC_SHA256(key=hmac_key, message).

  3. Convert the result to a 64-character hexadecimal lowercase string, which becomes XC-Signature.

PreviousReferral EarningsNextFee

Last updated