Generating Signature
Overview
The signature generation process consists of the following steps:
Step 1: Generate Timestamp
Create a UTC timestamp in ISO 8601 format.
Example:
2026-06-22T10:30:45.123Z
A second timestamp format is then derived by removing separators:
20260622103045123
Format:
YYYYMMDDHHMMSSmmm
Where:
- YYYY = Year
- MM = Month
- DD = Day
- HH = Hour
- MM = Minute
- SS = Second
- mmm = Milliseconds
Step 2: Extract Required Request Fields
The following fields are extracted from the request payload:
Example Request Body:
{
"transactionReference": "TRX123456789",
"amount": 1000,
"currency": "NGN",
"source": {
"accountNumber": "1234567890"
},
"destination": {
"accountNumber": "0987654321",
"country": "NG"
}
}
Step 3: Build Canonical Signing String
The signing string must be constructed in the exact order shown below:
HTTP_METHOD|REQUEST_PATH|CLIENT_ID|TIMESTAMP|TRANSACTION_REFERENCE|SOURCE_ACCOUNT|AMOUNT|DESTINATION_ACCOUNT|DESTINATION_COUNTRY
Example
Request:
POST /api/v1/transfers
Client ID:
CLT_900000000002_C1DE89E2
Timestamp:
20260622103045123
Request Body:
{
"transactionReference": "TRX123456789",
"amount": 1000,
"currency": "NGN",
"source": {
"accountNumber": "1234567890"
},
"destination": {
"accountNumber": "0987654321",
"country": "NG"
}
}
Generated Canonical String:
POST|/api/v1/transfers|CLT_900000000002_C1DE89E2|20260622103045123|TRX123456789|1234567890|1000|0987654321|NG
Important:
- Field order must not be changed.
- Empty values should still be represented by empty positions
- Delimiter must be the pipe character (|).
Step 4: Generate HMAC-SHA256 Signature
Use the client's Secret Key as the signing key.
Algorithm:
HMAC-SHA256
Input:
POST|/api/v1/transfers|CLT_900000000002_C1DE89E2|20260622103045123|TRX123456789|1234567890|1000|0987654321|NG
Secret Key:
fd185dcd47f149ee94382bb465d483e7710c6b95c39742e2
Output:
Binary HMAC Result
Encode the result using Base64.
Example:
M4mPoV7dAz7jH1vVt6f7D+7gQaL7H2b3R2hP7ZJr6Ys=