# Signature

Some APIs require signature in incoming requests (like BetEngine API).

The Signature is calculated based on the `timestamp`, `request body` and your `Secret Key` with HMAC hash using SHA256 Algorithm. 

Here is an example on how to generate the Signature for create `/ticket` request with `Secret Key=12345ABCDE`, `timestamp=1706090303` and following request body:

```json
{
    "operator": "site",
    "token": "UnIqUe-ToKeN",
    "price": 5000,
    "currency": "KES",
    "atag": "affiliate-1",
    "source": "mobile",
    "type": "superbet",
    "event": 100001,
    "bets": [101, 102, 103, 104, 105, 106]
}
```

In order to generate the Signature all spaces must be removed from the request body:

```json
{"operator":"site","token":"UnIqUe-ToKeN","price":5000,"currency":"KES","atag":"affiliate-1","source":"mobile","type":"superbet","event":100001,"bets":[101,102,103,104,105,106]}
```

{% hint style="info" %}
Please note that the order of the fields matters for calculating the signature. Fields must be in the same order they are listed on doc pages for requests.
{% endhint %}

{% hint style="info" %}
Please note that optional fields, like `atag` must also be included in signature generation, even if they have `null` values. For example, if `atag` field has `null` value then it must be included in signature generation like so:

```
{...,"atag":null,...}
```

{% endhint %}

Then message for HMAC algorithm has to be formed using following template:

```
{timestamp}{request body with removed spaces}
```

{% hint style="info" %}
Please note that for requests that have no body, like GET requests, above template will only consist of `{timestamp}`.
{% endhint %}

So the message should look like the following:

```
1706090303{"operator":"site","token":"UnIqUe-ToKeN","price":5000,"currency":"KES","atag":"affiliate-1","source":"mobile","type":"superbet","event":100001,"bets":[101,102,103,104,105,106]}
```

The computed Signature for this request is:

```
f99aee9f77eef1ee8b64c78e7f8612e3234f03cce5fecdebd7ea27f2b9081423
```

A free online HMAC Generator for testing is available on <https://www.freeformatter.com/hmac-generator.html#before-output>.&#x20;

Here is how we calculated the Signature from above example using **Free Formatter**

<figure><img src="https://2027057513-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKuxm6ysd27rN14uEAtGy%2Fuploads%2F9OVxZZO7fMiuiQsAL0w8%2Fimage.png?alt=media&#x26;token=6f164db9-11ae-4a52-9bee-3345e04b85e3" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
Your `Secret Key` is located on your API Settings page. Login to Betstack to access your `Secret Key`
{% endhint %}

<figure><img src="https://2027057513-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FKuxm6ysd27rN14uEAtGy%2Fuploads%2Fe5aGzX5mkTtACXh9j4Ee%2Fsecret-Key.png?alt=media&#x26;token=7a7a76a8-c5ea-4821-986f-e015fb624c4b" alt=""><figcaption><p>Secret Key is locate in API Settings profile page</p></figcaption></figure>