The FlamPix API uses a sophisticated HMAC SHA-256 signature scheme to ensure request integrity and authenticity. Every request you make must be signed using your API Secret.

Here is a comprehensive documentation guide in English, specifically designed to help developers implement your HMAC authentication.

It includes a dedicated section for Apidog/Postman users with a copy-paste "Pre-request Script" to automate the signing process during testing.

Authentication & HMAC Signing

The FlamPix API uses a sophisticated HMAC SHA-256 signature scheme to ensure request integrity and authenticity. Every request you make must be signed using your API Secret.

1. Required Headers

All requests must include the following headers:

Header	Description
`X-FlamPix-Key`	Your public API Key.
`X-FlamPix-Timestamp`	Current Unix timestamp (in seconds).
`X-FlamPix-Signature`	The Hex string generated by the HMAC-SHA256 algorithm.

2. Constructing the Signature

To generate the X-FlamPix-Signature, you must create a Base String and sign it using your API Secret.

A. The Base String Format

The Base String is a concatenation of four values, separated strictly by a newline character (\n):

{timestamp}\n{METHOD}\n{path}\n{body}

timestamp: Same value as the header (e.g., 1708550400).

METHOD: Uppercase HTTP method (e.g., POST, GET).

path: The endpoint path starting with / (e.g., /gt/api/v1/deposits). Do not include the domain.

body: The raw JSON request body string.

B. Special Rules

GET Requests: The body is an empty string, but the final \n separator must still be present.

Raw Body: Use the exact raw string of the body to be sent. Do not serialize JSON again after signing, or the hash will mismatch.

C. Examples

Example 1: POST Request

1708550400
POST
/gt/api/v1/deposits
{"amountInCents":15000,"destinationAddress":"lq1..."}

Example 2: GET Request (Note the trailing newline)

1708550405
GET
/gt/api/v1/deposits/c2a5dbd4-043a-4d4f-866e-8ddad4ed067c

3. Automation in Apidog (or Postman)

If you are using Apidog to test the API, you don't need to calculate the hash manually. You can use a Pre-request Script to generate the headers automatically.

Steps:

Open your project in Apidog.

Go to Environment Management.

Add two variables: FLAMPIX_API_KEY and FLAMPIX_API_SECRET.

Open your request (or the entire Collection settings), go to the Pre-request Script tab, and paste the following code:

🔑 Authentication & HMAC Signing

Authentication & HMAC Signing

1. Required Headers

2. Constructing the Signature

A. The Base String Format

B. Special Rules

C. Examples

Example 1: POST Request

Example 2: GET Request (Note the trailing newline)

3. Automation in Apidog (or Postman)

4. Code Implementation Examples

Node.js (Axios)

PHP

Python

🔑 Authentication & HMAC Signing

Authentication & HMAC Signing#

1. Required Headers#

2. Constructing the Signature#

A. The Base String Format#

B. Special Rules#

C. Examples#

Example 1: POST Request#

Example 2: GET Request (Note the trailing newline)#

3. Automation in Apidog (or Postman)#

4. Code Implementation Examples#

Node.js (Axios)#

PHP#

Python#

Authentication & HMAC Signing

1. Required Headers

2. Constructing the Signature

A. The Base String Format

B. Special Rules

C. Examples

Example 1: POST Request

Example 2: GET Request (Note the trailing newline)

3. Automation in Apidog (or Postman)

4. Code Implementation Examples

Node.js (Axios)

PHP

Python