Request Signing - Simfy Business API Docs

Simfy Business API-key requests should be signed by your backend. The signature proves that the request came from an approved integration and was not modified in transit. Each signed request includes:

Header	Required	Description
`x-api-key`	Yes	API key issued to your integration.
`x-timestamp`	Yes	The current timestamp for the request.
`x-signature`	Yes	A Base64-encoded HMAC-SHA256 signature generated with your signing secret.

Signature payload

Create the signature from the timestamp, API key, request URL, request body, and signing secret provided for your environment.

{
  "timeStamp": "2026-05-20T08:00:00.000Z",
  "apiKey": "YOUR_SIMFY_BUSINESS_API_KEY",
  "url": "/api/v1/wallets/generate-wallet",
  "body": {
    "token": "usdt",
    "name": "Main USDT Wallet"
  }
}

The exact signature algorithm must match your Simfy Business-issued credentials. Do not expose signing secrets in browsers, mobile apps, logs, or client-side code.

Node.js example

import crypto from "crypto";

const signingSecret = process.env.SIMFY_BUSINESS_SIGNING_SECRET;

const payload = {
  timeStamp: timestamp,
  apiKey: process.env.SIMFY_BUSINESS_API_KEY,
  url: "/api/v1/wallets/generate-wallet",
  body: {
    token: "usdt",
    name: "Main USDT Wallet",
  },
};

const signature = crypto
  .createHmac("sha256", signingSecret)
  .update(JSON.stringify(payload))
  .digest("base64");

Important

Your signing secret should only live on your backend. If you are building a frontend or mobile app, route signed Simfy Business API calls through your own backend service.

​Signature payload

​Node.js example

​Important

Signature payload

Node.js example

Important