Withdraw Signature

Every withdraw request you send to us must include a sign value in the header. This value is generated using the HMAC function with the sha256 algorithm and your API Secret, based on the parameters of your request.

Ready-to-use code examples

When creating the signature, you must stringify the request parameters (body, query string, etc.) without altering their order.


Example 1: If you are sending a request to the Available Banks service: This endpoint uses the GET method and does not require query parameters. Therefore, you will use an empty string when generating the signature.



Example 2: If you are sending a request to the Create Withdraw endpoint: This endpoint uses POST and requires several body parameters including accountName and iban. You must stringify these parameters in the exact order they appear, side by side.

Form Body to Send

bankId:5fb103ee40c69600183ec990
amount:100
userId:123456789
name:Test User
userName:testUserName
processId:1122334455
accountName:Test User
iban:TR280006276256222621885935

Expected stringify result

bankId=5fb103ee40c69600183ec990&amount=100&userId=123456789&name=Test+User&userName=testUserName&processId=1122334455&accountName=Test+User&iban=TR280006276256222621885935

Next, you will create the signature by hashing the stringified data using the HMAC function with the sha256 algorithm. You can review the sample implementations below.

Create Signature

const apiSecret = "e59de9db1246eef0423a8c9045bdc5c9ea5729695cf792d065cac10373add831" // Replace with your own API Secret.

const requestData = {
    bankId: "5fb103ee40c69600183ec990",
    amount: "100",
    userId: "123456789",
    name: "Test User",
    userName: "testUserName",
    processId: "1122334455",
    accountName: "Test User",
    iban: "TR280006276256222621885935"
};

const encodedRequest = new URLSearchParams(requestData).toString();
const sign = crypto.createHmac("sha256", apiSecret).update(encodedRequest).digest().toString("base64");

console.log(sign);

Use in requests

You must generate a signature for every request. Then include:

  • the sign header with your generated signature, and
  • the appKey header with your API Key

in all requests you send.

Was this page helpful?