Security
Authentication, Signatures and Idempotency
Authenticate every request and sign sensitive write calls for safe server-side integrations.
Bearer authHMAC signaturesIdempotency
Authentication
Use your secret API key as a bearer token on every request. Keep this key server-side only.
Authorization: Bearer YOUR_SECRET_API_KEY
Accept: application/json
Content-Type: application/jsonSigned write requests
Write requests that create or move money should include a timestamp, HMAC signature and idempotency key. The signature is created from the exact raw JSON body.
| Header | Required | Description |
|---|---|---|
X-NeroPay-Timestamp | For signed writes | Unix timestamp in seconds. |
X-NeroPay-Signature | For signed writes | HMAC SHA-256 of timestamp + "." + rawBody using your secret key. |
Idempotency-Key | For signed writes | Unique key for safe retries. Reuse the same key when retrying the same request body. |
NeroPay-Account | Optional | Used by NeroConnect platforms to act for a connected merchant. |
PHP signing helper
$method,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => $headers,
CURLOPT_POSTFIELDS => $payload !== null ? $rawBody : null,
]);
$response = curl_exec($ch);
curl_close($ch);
return json_decode($response, true);
}
NeroConnect account scope
Use NeroPay-Account only when the authenticated merchant is a NeroConnect platform and the request should apply to one connected merchant. A connected account id has the format NPxxxx_12345.
NeroPay-Account: NP6454f52b_6165{
"success": false,
"error": {
"code": "invalid_signature",
"message": "Write requests require a valid X-NeroPay-Timestamp and X-NeroPay-Signature.",
"details": null
}
}