Security Requirements
Overview
All API requests must satisfy the following security requirements
Authentication Mechanisms
The ePAPSS platform enforces multiple layers of security:
- Mutual TLS (mTLS)
- Subscription Key Authentication
- HMAC SHA256 Request Signing
- Timestamp Validation
- Idempotency Protection
- IP Whitelisting
Subscription Key Authentication
Every API request must include a valid subscription key.
The subscription key is issued during onboarding.
Required Header
subscription-key: xxxxxxxxxxxxxxxxxxxxx
| Header | Required | Description |
|---|---|---|
| subscription-key | Yes | API subscription key issued by eTranzact |
Mutual TLS (mTLS)
All client institutions must install and present a valid client certificate during the TLS handshake.
Requirements
| Requirement | Description |
|---|---|
| Client Certificate | Issued during onboarding |
| Certificate Validation | Required |
| TLS Version | TLS 1.2 or higher |
| Certificate Registration | Mandatory |
Requests without a valid certificate will be rejected.
Request Headers
Every request must contain:
| Header | Required | Description |
|---|---|---|
| subscription-key | Yes | Issued during onboarding |
| X-client-Id | Yes | Client Identifier |
| X-Idempotency-Key | Yes | Unique request identifier |
| X-Timestamp | Yes | ISO 8601 timestamp |
| X-Signature | Yes | HMAC SHA256 signature |
| Content-Type | Yes | application/json |
Example
POST url
curl `url`
-H "subscription-key: 2df8a91s8d7a1"
-H "X-Idempotency-Key: 432987234"
-H "X-client-Id: 432987234"
-H "X-Timestamp: 2026-03-11T12:30:00Z"
-H "X-Signature: a82dd9838fa"
-H "Content-type: application/json"