Payment Service Request Signing

All Payment Service API calls require signed requests.

Required Headers

• x-depay-timestamp
• x-depay-signature

Timestamp Rules

1. Timestamp must be within ±5 minutes of server time.
2. Timestamp cannot be reused for the same owner address.

Replay key format:

• (ownerAddress, timestamp)

Signed Message

The signature input is always:

DePay API Request Signature
<CANONICAL_JSON>

Canonical JSON shape:

{
  "action": "invoice.create",
  "ownerAddress": "0x...",
  "timestamp": 1714200000000,
  "payload": {
    "chainId": 8453,
    "invoiceId": "1000456",
    "amount": "12.5"
  }
}

Action Values

• invoice.create
• invoice.status
• invoice.delete
• invoice.list
• fee.set-meta
• fee.set-payout-meta

cURL Skeleton

curl -X POST '<BASE_URL>/integration/invoices' \
  -H 'Content-Type: application/json' \
  -H 'x-depay-timestamp: <TIMESTAMP_MS>' \
  -H 'x-depay-signature: <REQUEST_SIGNATURE>' \
  -d '{
    "ownerAddress": "<OWNER_ADDRESS>",
    "chainId": 8453,
    "amount": "12.5"
  }'