API Keys & Authentication
This guide explains our authentication system and how to set up your credentials for secure API calls.
๐ Prerequisites
Before integrating with our API, ensure you have:
- A Prestmit API sandbox account with API access enabled. You can get registered here โ https://sandbox.prestmit.io
- You'll need to create an account and send an email to [email protected] requesting API access. Once your email has been received, our team will contact you with details about activating your access.
- Once API access is activated. You can get your API credentials from your dashboard
๐ API Authentication System
Authentication Overview
Prestmit uses a multi-layered authentication approach.
Required Credentials
You'll need these credentials to authenticate with the API:
| Credential | Description | Where to Find | Why It's Needed |
|---|---|---|---|
API_KEY | Your unique API identifier | Prestmit Console > Developers | Identifies your account in our system |
API_SECRET | Secret used for request signing | Prestmit Console > Developers | Used to generate the HMAC signature that verifies your requests |
โ๏ธ Environments
Youโll get two environments:
- Sandbox:
https://dev.prestmit.io/api/partners/v1 - Live:
https://prestmit.io/api/partners/v1.
๐ Authentication Flow Explained
The Prestmit API uses HMAC (Hash-based Message Authentication Code) to verify the authenticity and integrity of each request:
- Create the payload: Your system combines your API key with the request body.
- Generate the hash: An HMAC-SHA256 hash is created using your API secret key.
- Add authentication headers: The hash and other required headers are included in your request.
This process ensures that:
- The request is coming from you (authentication)
- The request hasn't been tampered with (integrity)
- The request can't be replayed by attackers (with proper timestamp usage)
Authentication Headers
Every API request must include these headers:
| Header | Value | Purpose |
|---|---|---|
API-KEY | Your API key | Identifies your account |
API-Hash | HMAC-SHA256 hash of your payload | Verifies request integrity |
Content-Type | application/json(for most requests) | Specifies request format |
Accept | application/json | Specifies response format |
๐ป Generating the API-Hash Header
API-Hash HeaderEvery request to Prestmitโs API must include a valid API-Hash header. This header is a HMAC-SHA256 signature generated from your API credentials and request data.
1. What to Hash
When sending a request:
NOTICE: When making a POST request, ensure that you remove the attachments request parameter from the request body before generating the request hash.
-
Convert your request body (or query parameters, if itโs a GET request) to a JSON string.
-
Concatenate your API key and the stringified body using a colon (
:):payload = API_KEY + ":" + JSON.stringify(body) -
Generate an HMAC-SHA256 hash of that payload using your API secret key.
2. Code Examples
/**
* Generate API-Hash for request authentication
*
* Example: Creating a hash for Prestmit API requests
* Language: JavaScript (Node.js)
*/
const CryptoJS = require('crypto-js');
const API_KEY = 'your_api_key_here';
const API_SECRET = 'your_api_secret_here';
// Example request body (replace with your own data)
// Remember to remove the 'attachments' field from the body.
const body = JSON.stringify({
amount: 5000,
currency: 'USD'
});
// Step 1: Create the payload
const payload = `${API_KEY}:${body}`;
// Step 2: Generate HMAC-SHA256 hash
const hash = CryptoJS.HmacSHA256(payload, API_SECRET).toString();
// Step 3: Add these headers to your request
console.log({
'API-Key': API_KEY,
'API-Hash': hash,
'Content-Type': 'application/json'
});<?php
// =============================================
// Prestmit API Hash Generator - PHP Version
// =============================================
$API_KEY = 'your_api_key_here';
$API_SECRET = 'your_api_secret_here';
// stringify the request body
$body = json_encode([
'amount' => 5000,
'currency' => 'USD'
// Do NOT include 'attachments' if present
]);
// Step 1: Create payload
$payload = $API_KEY . ':' . $body;
// Step 2: Generate HMAC-SHA256
$hash = hash_hmac('sha256', $payload, $API_SECRET);
// Step 3: Headers you should send
$headers = [
'API-Key' => $API_KEY,
'API-Hash' => $hash,
'Content-Type' => 'application/json'
];
// For debugging / testing
echo "Payload (for debugging only - don't send):\n";
echo $payload . "\n\n";
echo "Generated headers:\n";
print_r($headers);
echo "\nHash length: " . strlen($hash) . " characters\n";
// Should be exactly 64 charactersExample output:
{
"API-Key": "abc12345",
"API-Hash": "f3b2aefc9b5c90c65dd6e3e4787e99fba8f6d123456...",
"Content-Type": "application/json"
}3. Example Request
Content-Type:
POST: multipart/form-data
GET: application/json
POST /api/partners/v1/giftcard-trade/buy/calculate-payment HTTP/1.1
Host: api.prestmit.io
Accept: application/json
API-KEY: key_dev_xyzowllww....
Content-Length: 317
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="giftCardSKU"
922
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="price"
5
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="quantity"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW--
GET /api/partners/v1/general/service-availability HTTP/1.1
Host: prestmit.test
Content-Type: application/json
Accept: application/json
API-KEY: key_dev_xyzowllww....4. Server Verification (How It Works Behind the Scenes)
When your request reaches Prestmit:
-
The server reconstructs the same payload (
API_KEY + ":" + body). -
It generates a new HMAC using your stored secret.
-
It compares both hashes:
- โ If they match โ the request is authentic.
- โ If not โ the request is rejected (401 Unauthorized).
This ensures your request hasnโt been altered and that it truly originated from your account.
5. Quick Summary
| Step | Action | Purpose |
|---|---|---|
| 1 | Combine your API_KEY and request body | Creates a unique payload |
| 2 | Generate HMAC-SHA256 using your API_SECRET | Signs the payload |
| 3 | Add the API-Hash to headers | Authenticates your request |
| 4 | Server re-generates and compares | Verifies authenticity |
โ ๏ธ Important Notes
- Always use the exact same body content for hashing and sending the request. Even a minor difference in spaces or key order will cause authentication to fail.
- Use UTF-8 encoding when generating hashes.
- Never expose your API Secret Key publicly (e.g., in client-side code or browser).
๐งช Testing Your Authentication
Verification Endpoint
The simplest way to verify your authentication setup is working correctly is to use the service availability endpoint:
GET /general/service-availability
If your authentication is successful, you'll receive a response like:
{
"buyGiftCard": true,
"sellGiftCard": true,
"nairaWalletWithdrawal": true,
"cedisWalletWithdrawal": true
}Common Authentication Errors
| Error | Possible Cause | Solution |
|---|---|---|
| 401 Unauthorized | Invalid API key or hash | Double-check your API credentials |
| 400 Bad Request | Malformed request or missing headers | Check your request format and headers |
| 429 Too Many Requests | Rate limit exceeded | Reduce request frequency |
๐ Next Steps
Now that you understand our authentication system, you can:
- Set up webhooks for real-time notifications
- Learn how to sell gift cards through the API
- Learn how to buy gift cards through the API
- Learn how you can make money using Prestmitโs API
Updated 13 days ago