Getting Started

API Authentication

All API requests require two headers for authentication:

Header	Description
`X-API-Key`	Your API key
`X-Signature`	HMAC SHA-256 signature of the request

X-Signature

The signature proves the request authenticity. It is computed as HMAC-SHA256 of the following string (all components concatenated, no separators):

Code
{unix_timestamp}{http_method}{request_path}{request_body}

Example: 1773783618GET/pay-in{}

unix_timestamp — Unix time in seconds (e.g. 1731862800)
http_method — Uppercase HTTP method: GET, POST, etc.
request_path — Path including query string, e.g. /pay-in or /orders?status=pending
request_body — Raw JSON body for POST/PUT, empty string for GET

Keep your API secret secure. Never expose it in client-side code or public repositories.

Code Examples

Go


Code
package main

import (
	"bytes"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"encoding/json"
	"net/http"
	"strconv"
	"time"
)

func signRequest(apiSecret, method, path, body string) string {
	timestamp := strconv.FormatInt(time.Now().Unix(), 10)
	payload := timestamp + method + path + body

	mac := hmac.New(sha256.New, []byte(apiSecret))
	mac.Write([]byte(payload))
	return hex.EncodeToString(mac.Sum(nil))
}

func main() {
	apiKey := "your_api_key"
	apiSecret := "your_api_secret"
	method := "POST"
	path := "/pay-in"

	body := map[string]interface{}{
		"amount":            500,
		"currency":          "EUR",
		"external_order_id": "66a0e20c-cf87-4077-8e2e-46b487879aa9",
		"method":            "P2P_CARD",
	}
	bodyBytes, _ := json.Marshal(body)
	bodyStr := string(bodyBytes)

	signature := signRequest(apiSecret, method, path, bodyStr)

	req, _ := http.NewRequest(method, "https://api.frmpay.com"+path, bytes.NewReader(bodyBytes))
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("X-API-Key", apiKey)
	req.Header.Set("X-Signature", signature)

	// resp, err := (&http.Client{}).Do(req)
}

JavaScript (Node.js)


Code
import crypto from "crypto";

function signRequest(apiSecret, method, path, body) {
  const timestamp = Math.floor(Date.now() / 1000).toString();
  const payload = timestamp + method + path + body;

  return crypto
    .createHmac("sha256", apiSecret)
    .update(payload)
    .digest("hex");
}

const apiKey = "your_api_key";
const apiSecret = "your_api_secret";
const method = "POST";
const path = "/pay-in";
const body = JSON.stringify({
  amount: 500,
  currency: "EUR",
  external_order_id: "66a0e20c-cf87-4077-8e2e-46b487879aa9",
  method: "P2P_CARD",
});

const signature = signRequest(apiSecret, method, path, body);

const response = await fetch(`https://api.frmpay.com${path}`, {
  method,
  headers: {
    "Content-Type": "application/json",
    "X-API-Key": apiKey,
    "X-Signature": signature,
  },
  body,
});

TypeScript


Code
import crypto from "crypto";

function signRequest(
  apiSecret: string,
  method: string,
  path: string,
  body: string
): string {
  const timestamp = Math.floor(Date.now() / 1000).toString();
  const payload = timestamp + method + path + body;

  return crypto
    .createHmac("sha256", apiSecret)
    .update(payload)
    .digest("hex");
}

const apiKey = "your_api_key";
const apiSecret = "your_api_secret";
const method = "POST";
const path = "/pay-in";
const body = JSON.stringify({
  amount: 500,
  currency: "EUR",
  external_order_id: "66a0e20c-cf87-4077-8e2e-46b487879aa9",
  method: "P2P_CARD",
});

const signature = signRequest(apiSecret, method, path, body);

const response = await fetch(`https://api.frmpay.com${path}`, {
  method,
  headers: {
    "Content-Type": "application/json",
    "X-API-Key": apiKey,
    "X-Signature": signature,
  },
  body,
});

PHP

Code
<?php

function signRequest(string $apiSecret, string $method, string $path, string $body): string
{
    $timestamp = (string) time();
    $payload = $timestamp . $method . $path . $body;

    return hash_hmac('sha256', $payload, $apiSecret);
}

$apiKey = 'your_api_key';
$apiSecret = 'your_api_secret';
$method = 'POST';
$path = '/pay-in';
$body = json_encode([
    'amount' => 500,
    'currency' => 'EUR',
    'external_order_id' => '66a0e20c-cf87-4077-8e2e-46b487879aa9',
    'method' => 'P2P_CARD',
]);

$signature = signRequest($apiSecret, $method, $path, $body);

$ch = curl_init("https://api.frmpay.com" . $path);
curl_setopt_array($ch, [
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $body,
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/json',
        'X-API-Key: ' . $apiKey,
        'X-Signature: ' . $signature,
    ],
]);

$response = curl_exec($ch);

Last modified on March 18, 2026

Callbacks

Header

Description

X-API-Key

Your API key

X-Signature

HMAC SHA-256 signature of the request

Code Examples

Code

package main

import (
	"bytes"
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"encoding/json"
	"net/http"
	"strconv"
	"time"
)

func signRequest(apiSecret, method, path, body string) string {
	timestamp := strconv.FormatInt(time.Now().Unix(), 10)
	payload := timestamp + method + path + body

	mac := hmac.New(sha256.New, []byte(apiSecret))
	mac.Write([]byte(payload))
	return hex.EncodeToString(mac.Sum(nil))
}

func main() {
	apiKey := "your_api_key"
	apiSecret := "your_api_secret"
	method := "POST"
	path := "/pay-in"

	body := map[string]interface{}{
		"amount":            500,
		"currency":          "EUR",
		"external_order_id": "66a0e20c-cf87-4077-8e2e-46b487879aa9",
		"method":            "P2P_CARD",
	}
	bodyBytes, _ := json.Marshal(body)
	bodyStr := string(bodyBytes)

	signature := signRequest(apiSecret, method, path, bodyStr)

	req, _ := http.NewRequest(method, "https://api.frmpay.com"+path, bytes.NewReader(bodyBytes))
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("X-API-Key", apiKey)
	req.Header.Set("X-Signature", signature)

	// resp, err := (&http.Client{}).Do(req)
}

JavaScript (Node.js)

Code

import crypto from "crypto";

function signRequest(apiSecret, method, path, body) {
  const timestamp = Math.floor(Date.now() / 1000).toString();
  const payload = timestamp + method + path + body;

  return crypto
    .createHmac("sha256", apiSecret)
    .update(payload)
    .digest("hex");
}

const apiKey = "your_api_key";
const apiSecret = "your_api_secret";
const method = "POST";
const path = "/pay-in";
const body = JSON.stringify({
  amount: 500,
  currency: "EUR",
  external_order_id: "66a0e20c-cf87-4077-8e2e-46b487879aa9",
  method: "P2P_CARD",
});

const signature = signRequest(apiSecret, method, path, body);

const response = await fetch(`https://api.frmpay.com${path}`, {
  method,
  headers: {
    "Content-Type": "application/json",
    "X-API-Key": apiKey,
    "X-Signature": signature,
  },
  body,
});

TypeScript

Code

import crypto from "crypto";

function signRequest(
  apiSecret: string,
  method: string,
  path: string,
  body: string
): string {
  const timestamp = Math.floor(Date.now() / 1000).toString();
  const payload = timestamp + method + path + body;

  return crypto
    .createHmac("sha256", apiSecret)
    .update(payload)
    .digest("hex");
}

const apiKey = "your_api_key";
const apiSecret = "your_api_secret";
const method = "POST";
const path = "/pay-in";
const body = JSON.stringify({
  amount: 500,
  currency: "EUR",
  external_order_id: "66a0e20c-cf87-4077-8e2e-46b487879aa9",
  method: "P2P_CARD",
});

const signature = signRequest(apiSecret, method, path, body);

const response = await fetch(`https://api.frmpay.com${path}`, {
  method,
  headers: {
    "Content-Type": "application/json",
    "X-API-Key": apiKey,
    "X-Signature": signature,
  },
  body,
});

PHP

Code

<?php

function signRequest(string $apiSecret, string $method, string $path, string $body): string
{
    $timestamp = (string) time();
    $payload = $timestamp . $method . $path . $body;

    return hash_hmac('sha256', $payload, $apiSecret);
}

$apiKey = 'your_api_key';
$apiSecret = 'your_api_secret';
$method = 'POST';
$path = '/pay-in';
$body = json_encode([
    'amount' => 500,
    'currency' => 'EUR',
    'external_order_id' => '66a0e20c-cf87-4077-8e2e-46b487879aa9',
    'method' => 'P2P_CARD',
]);

$signature = signRequest($apiSecret, $method, $path, $body);

$ch = curl_init("https://api.frmpay.com" . $path);
curl_setopt_array($ch, [
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $body,
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/json',
        'X-API-Key: ' . $apiKey,
        'X-Signature: ' . $signature,
    ],
]);

$response = curl_exec($ch);

Last modified on March 18, 2026