Signature Guide

Overview

All Merchant API requests must include an RSA digital signature to ensure data integrity and prevent tampering. The signature is computed using the SHA256withRSA algorithm with the merchant's private key.

Signature Workflow

1. Construct signature string → 2. Sign with private key → 3. Attach to request headers → 4. Server-side verification

Request Headers

All API requests must include Content-Type: application/json and the following signature-related headers:

Header	Type	Required	Description
Content-Type	`string`	Yes	Always `application/json`
`timestamp`	`string`	Yes	Unix timestamp (seconds)
`nonce`	`string`	Yes	A unique random string per request (6–32 characters)
`signature`	`string`	Yes	Base64-encoded RSA signature

Example:

http

POST /pay-fac/MERCHANT001/v1/user HTTP/1.1
Host: paas-gateway.imetastore.io
Content-Type: application/json
timestamp: 1743478725
nonce: a1b2c3
signature: <Base64-encoded signature>

Constructing the Signature String

The signature string is formed by directly concatenating the following four parts (no separator):

signature_string = sorted_params + timestamp + nonce + body_data

Part	Description
`sorted_params`	URL query parameters sorted alphabetically by key, concatenated as `key1=value1&key2=value2`. Use an empty string `""` if there are no parameters
`timestamp`	Unix timestamp (seconds), e.g. `1743478725`
`nonce`	A unique random string per request (6–32 alphanumeric characters); must not repeat within the timestamp validity window
`body_data`	The raw JSON request body string. Use an empty string `""` when there is no request body (e.g. GET requests)

Signature Calculation Example

Given data:

URL parameters: param1=value1, param2=value2
Timestamp: 1743478725
Nonce: a1b2c3
Request body: {"key":"value"}

Step 1 — Sort parameters:

param1=value1&param2=value2

Step 2 — Concatenate the signature string:

param1=value1&param2=value21743478725a1b2c3{"key":"value"}

Step 3 — Sign: Sign the above string using the SHA256withRSA algorithm with the merchant's PKCS#8 private key, then Base64-encode the result.

Step 4 — Attach to request headers:

http

timestamp: 1743478725
nonce: a1b2c3
signature: <Base64-encoded result>

Important Notes

TIP

URL query parameters must be sorted alphabetically by key; otherwise the signature will not match
body_data must be the raw request body string — do not re-serialize it
Use an empty string instead of null when there is no request body

Signature Guide ​

Overview ​

Signature Workflow ​

Request Headers ​

Constructing the Signature String ​

Signature Calculation Example ​