HMAC Authentication

Sznd Business API uses HMAC-based authentication on top of API keys for client API integrations.

How It Works

Every request to a protected /client endpoint includes:

your public API key
a request timestamp
a signature derived from the request body and timestamp

The server recomputes the signature using your secret key. If the body, timestamp, or secret does not match, the request is rejected.

Required Headers

text

X-API-Key: your_api_key_hereX-Signature: generated_signature_hereX-Timestamp: 2025-01-15T10:30:00Z

X-API-Key: your_api_key_hereX-Signature: generated_signature_hereX-Timestamp: 2025-01-15T10:30:00Z

X-API-Key: your public API key identifier
X-Timestamp: RFC3339 UTC timestamp for replay protection
X-Signature: hex-encoded HMAC-SHA256 signature

Authentication Errors

Common failures include:

missing x-api-key, x-signature, or x-timestamp
invalid timestamp format
timestamp too old or too far in the future
invalid signature because the signed body and sent body differ
inactive or expired API key

These failures commonly return 401 Unauthorized or 403 Forbidden.

API Key Management

Business API keys are managed outside the published client API reference. Use your business settings or the workflow provided by the Integration Team to create, rotate, and review keys.

Secret keys are never returned again after creation, so store them securely.