API Authorization

Request authorization

API authorization is performed by sending an API key in the X-API-KEY header.

Also, for all requests, the header Content-Type: application/x-www-form-urlencoded is required.

Example:

curl -X 'GET' \
  'https://sandbox-live-tunell-gateway.ecng.digital/time' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'X-API-KEY: 3c72917fgh8x9c75950b50d3ade9f74eabec6786a2c2da0bcb924e2febcd9b1'

Request signing

As an additional security layer, all POST requests should be signed by adding a X-API-SIGNATURE header.

The value of X-API-SIGNATURE is a POST body, signed by the API Secret key HMAC-SHA512.

API Secret is displayed only once, when re-generating API key in the Settings->Integration->Tunell Gateway token section (Business Dashboard).

You can validate the X-API-SIGNATURE generation logic by comparing the result with the provided example.

Example:


API Secret: A1b2C3d4E5f6
POST /callbacks
Request body: url=https://webhook-test.com/1234&transactions=incoming,outgoing,withdrawal

curl -X 'POST' \
  'https://sandbox-live-tunell-gateway.ecng.digital/callbacks' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'X-API-KEY: 3c72917fgh8x9c75950b50d3ade9f74eabec6786a2c2da0bcb924e2febcd9b1' \
  -H 'X-API-SIGNATURE: 92cb7a7122fd4871ee2a5ffb4c4c72bb1805e696f14e0401fc891d34fe52c5f2604e62614cc8e8e0e6c6a5e45db0540a4198fbe68d3a31b7bcc69af57fd22bb1'

PreviousAPI Credentials NextAPI Endpoints

Last updated 5 months ago