Skip to main content


Signatures will ensure trust to the requesting server and ensure that the content of the request is not touched along the way. It is not forced to validate signatures in the integration but it is something that we strongly recommend to do. Signed requests are validated with SHA-256 checksum that is base64 encoded.

Signing sending requests

For requests sent to the api endpoints the client needs to to sign the request. The signing process consist of the 4 steps shown in the list below.

  1. First step is to know the Secret Key and the String to sign. The secret key will be handed over by your account manager and the string to sign is always the payload body of the request.
  2. Compute the HMAC byte array.
  3. Perform a Base64 encoding.
  4. Set the value as x-signature in the header.

Below is an example in pseudo code for computing and craeate a signature. It can vary between technologies on how to do this. References for different languages you can find here.

Signature = Base64( HMAC-SHA256( SecretKey, StringToSign ) )

Verify receiving requests.

For notification received in webhooks(callbacks) the client needs to validate the signature. For this you perform the same step above and validate the x-signature you receive in the request by the one that you compute with the secret. They need to be exactly equal.

Node.js example

const signature = crypto
.createHmac('sha256', kashaSignatureKey)

if (headers['x-signature'] !== signature) {
this.logger.warn('Invalid callback signature.', { signature, requestId });
return false;
Note 📌

For obtain the signature secret key attached to your merchant please contact kasha support.