[#1356] Help with Order Approval – 403 Bad Credentials

Migrated from Redmine #1356 | Author: Yehoshua Preiser
Status: Feedback | Priority: High, I’m very impatient | Created: 2025-02-11

Hello Support Team,

I am trying to approve an order using the API endpoint:
POST /api/order/{id}/approve
(SBPay.me - Single place for all payment processors),
but I keep getting the error:

Error occurred: Bad credentials
Code: 403

I have a few questions:

1. How do I obtain the X-Auth-Token?

   • I am using the value provided in my account settings, but it does not seem to work.
   • Could you confirm the correct way to retrieve this token?

2. How should I generate the request signature?

   • Should I sign the entire request body as a JSON string or only the values?
   • Should the values be concatenated with a | (pipe) separator?
   • Example: Should I sign this?

     "123456|1707570000|sha256|yaad|tx_789|Approved by merchant|true"
     

   • Or should I sign the entire JSON body as a string?

Any guidance would be greatly appreciated!

Thank you

Dmytro Bondarev wrote:

Hi,

You are using sbpay API, please see documentation here: SBPay.me - Single place for all payment processors

To access API, the X-Auth-Token and X-Merchant headers are mandatory. Additionally, certain methods may also require the X-Signature header, which is the HMAC (Hash-based Message Authentication Code) for the request body. The algorithm used for the HMAC can be specified by passing it as 'algo' in the request.

The X-Auth-Token header is the API key for the merchant and can be found in the merchant's account page.
The X-Merchant header is the merchant ID.

To get API key in sbpay please make new user with admin access and login in into it, then you will be able to see API keys section.
X-Merchant - is your merchant id (what you see in the url before .sbpay.me).
X-Signature - is hmac of your request body with secret key. HMAC - Wikipedia

There is also SDK for PHP sbpay/sdk - Packagist.org