Skip to content

Authentication

Authentication with the Glo Currency Partners API relies on correctly setting the headers on each request with the following data:

  • Accept and Content-Type should be application/json
  • Authorization is your application's API key, should be Bearer [YOUR_API_KEY]
  • Authorization-Nonce is a string, which must be unique per request - generating a new GUID for every request is the preferred approach
  • Authorization-Signature is a HMAC-SHA512 digest of the nonce, request method, URL, and a SHA512 hash of the request body - you will need your API Secret, to sign

You will also need:

  • your API Secret, obtainable from our team
  • the request body - this should be a JSON string
  • the full request URL, including protocol, host, port and query parameters

Example data

For the following example, we will assume you are using the following details to payout a cash collection transaction:

  • API Key: YOUR_API_KEY
  • API Secret: YOUR_API_SECRET
  • Nonce: 7d90bf64-59d2-4c7b-9930-25ddc75d0dc0
  • A POST request to 
    https://mw-sandbox.glocurrency.com/api/v2/partners/cash_collection/0000000123/payout
  • Request Body:
{
    "code": "456000",
    "branch_id": "unique-branch-id"
}

Building the signature

The string to sign is generated by concatenating request-specific strings together, joined with an ampersand (&):

  • the Authorization-Nonce value
  • the HTTP verb, in uppercase
    • GET
    • POST
    • PUT
    • PATCH
    • DELETE
  • the full request URL, including protocol, host, port, query parameters and anchors
  • a SHA512 hex digest of the request body's JSON
    • for the example data above, this will be 
      adff087b838643652ea2a4fa61ee993946c60902027f4c9ff45e2f346dc2e6d4fad9fc9a1a7ceef048932f056f1bda5e38b15290c21720bdd61bffe93aea5ed8
    • for GET and DELETE requests this should be the SHA512 hash for the empty string 
      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
  • please note that, depending on the language, characters in the JSON may be escaped differently and your result might be different from this

For the example values above, this results in the following string to sign: 

7d90bf64-59d2-4c7b-9930-25ddc75d0dc0&POST&https://mw-sandbox.glocurrency.com/api/v2/partners/cash_collection/0000000123/payout&adff087b838643652ea2a4fa61ee993946c60902027f4c9ff45e2f346dc2e6d4fad9fc9a1a7ceef048932f056f1bda5e38b15290c21720bdd61bffe93aea5ed8

This string to sign is encrypted with the HMAC-SHA512 algorithm and your API Secret, with the resulting value: 

b67f0d3f99a9cc16bf412f3475832e450af50233e6d9eaffd97ca419ac7f669bfdb8c89f8363ce05ca2fca0de7fc6ba754e92e18fd596d101222426e20b81839

This is passed as the Authorization-Signature header for sending the request.

Full sample header

Accept: application/json
Content-Type: application/json
Authorization: Bearer YOUR_API_KEY
Authorization-Nonce: 7d90bf64-59d2-4c7b-9930-25ddc75d0dc0
Authorization-Signature: b67f0d3f99a9cc16bf412f3475832e450af50233e6d9eaffd97ca419ac7f669bfdb8c89f8363ce05ca2fca0de7fc6ba754e92e18fd596d101222426e20b81839

API Environments

  • For testing, use https://mw-sandbox.glocurrency.com/api/v2/partners/
  • For production, use https://mw-production.glocurrency.com/api/v2/partners/

You will need a valid API Key and API Secret for each environment, obtainable from our team once your application has been approved.