Skip to main content

Auth and Signatures

This public documentation covers signed request security for integration APIs.

Signed Requests (Integration Product)

Used by backend services integrating with SodaPop APIs.

Required headers:

x-depay-signature
x-depay-timestamp

Verification rules:

Signature must recover ownerAddress.
Timestamp must be within ±5 minutes.
Timestamp must be unique per owner (replay protection).

Replay key:

(ownerAddress, timestamp)

Internal API Note

Session-based frontend auth exists for the internal dashboard, but those endpoints are not part of public integration docs.

Signed Message Format

DePay API Request Signature
<CANONICAL_JSON>

Canonical JSON object structure:

{
  "action": "invoice.create",
  "ownerAddress": "0x...",
  "timestamp": 1714200000000,
  "payload": {}
}

EIP-712 Meta-Transaction Signatures

For setFeeMetaTx and setPayoutMetaTx, the owner wallet signs typed data with:

name: PaymentFactory
version: 1
verifyingContract: 0x79972d16fe9Aac806caB10377DD0c27781aE0491
chainId: selected chain

See detailed endpoint examples in API v1 sections.

Signed Requests (Integration Product)
Internal API Note
Signed Message Format
EIP-712 Meta-Transaction Signatures