# Generating a Signature

In order to authorize your API requests, the system requires a SHA-256 hash of the payload as a signature. This signature serves as a digital seal, guaranteeing the integrity and origin of the data being transmitted.

These steps can be applied to various programming languages, as the underlying HMAC-SHA256 concept remains the same. However, please note that the specific implementation details might vary based on the programming language used.

## 1. Prepare Input Parameters

Gather the components of the API request that need to be included in the signature:

* `method`: The HTTP method of the API request (e.g., 'GET', 'POST').
* `url`: The URL of the API endpoint.
* `bodyBuffer`: a JSON string payload, which is converted into a Buffer.
* `timestamp`: A timestamp indicating when the request is being made (in miliseconds).
* `secretKey`: A secret key used for HMAC-SHA256 encryption.

## 2. **Decode the Secret Key**

Decode the base64-encoded `secretKey` to obtain the original secret.

## 3. **Create HMAC Instance**

Concatenate the components of the request in this order into a single string.

1. method,&#x20;
2. URL,&#x20;
3. timestamp,&#x20;
4. and the request body.

Create an HMAC instance using the SHA-256 hash algorithm and the secret key. Pass the string into the HMAC instance.

## 4. Generate HMAC Digest

Generate the HMAC digest by finalizing the HMAC computation. This step produces a binary hash.

## 5. Encode the Digest

Encode the binary hash into a string representation. The encoding format should be a base64Url.

## Code Example (TypeScript)

The following is an example code implementation using Typescript:

```typescript
import * as crypto from 'crypto';

function atob(str: string) {
  return Buffer.from(str, 'base64').toString('binary');
}

export function createSignature(
  method: string,
  url: string,
  body: any,
  timestamp: string,
  secretKey: string,
) {
  const bodyBuffer = Buffer.from(JSON.stringify(body));

  const secret = atob(secretKey);

  const hmac = crypto.createHmac('sha256', secret);
  hmac.update(timestamp);
  hmac.update(method);
  hmac.update(url);

  if (bodyBuffer != null) {
    hmac.update(bodyBuffer);
  }

  const hash = hmac.digest();
  const signature = hash.toString('base64url');

  return signature;
}
```

You're all set. Include the generated signature in the API request headers.