/API
Widget Docs

Getting Started

Core Resources

Authentication

Back to API Overview

This page describes the authentication mechanisms used to secure the Two-Coin API. All API requests must be properly authenticated to ensure secure communication.

HMAC Authentication

The Two-Coin API uses HMAC (Hash-based Message Authentication Code) for request authentication. This ensures that requests are secure and come from authorized sources.

Required Headers

X-MERCHANT-CODE: your_merchant_code
X-TIMESTAMP: current_timestamp_in_milliseconds
X-SIGNATURE: hmac_signature

Generating the Signature

The signature is created by combining several request elements and creating an HMAC hash using your API secret.

// JavaScript example
const crypto = require('crypto');
function generateSignature(
    merchantCode,
    secretKey,
    uri,
    payload,
    timestamp
) {
    const message = `${merchantCode}${timestamp}${uri}${payload}`;
    const hmac = crypto.createHmac('sha256', secretKey);
    hmac.update(message);
    return hmac.digest('hex');
}

Authentication Process

  1. 1. Generate a current timestamp in milliseconds (Date.now())
  2. 2. Create the message string by combining merchant code, timestamp, URI (including query parameters), and request payload
  3. 3. Generate the HMAC signature using SHA-256 and your secret key
  4. 4. Include the signature and other required headers in your request

Security Best Practices

  • Never share your API secret in client-side code or public repositories
  • Implement IP whitelisting for additional security
  • Rotate your API credentials periodically
  • Validate webhook signatures to ensure they come from Two-Coin

Next Steps

API Reference →Webhook Authentication →

Support

If you encounter any issues or have questions not addressed in this documentation, please contact our support team on Telegram at https://t.me/cs_2coin (@cs_2coin).