HMAC-SHA512
所有交易类请求(cash-out、cash-in、refund)均需要 HMAC-SHA512 签名以保证完整性和真实性。
工作原理
- 将请求体序列化为 JSON
- 使用您的
client_secret作为密钥生成 HMAC-SHA512 签名 - 在
hmac请求头中发送签名
必需请求头
| 请求头 | 值 |
|---|---|
Authorization | Bearer {access_token} |
Content-Type | application/json |
hmac | 十六进制格式的 HMAC-SHA512 签名 |
示例
JavaScript (Node.js)
javascript
const crypto = require('crypto');
const body = JSON.stringify({
amount: 10000,
pix_key: "12345678901",
description: "Payment"
});
const hmac = crypto
.createHmac('sha512', 'your-api-key-secret')
.update(body)
.digest('hex');
// 作为请求头发送: hmac: {value}Python
python
import hmac
import hashlib
import json
body = json.dumps({
"amount": 10000,
"pix_key": "12345678901",
"description": "Payment"
})
signature = hmac.new(
b"your-api-key-secret",
body.encode("utf-8"),
hashlib.sha512
).hexdigest()PHP
php
$body = json_encode([
'amount' => 10000,
'pix_key' => '12345678901',
'description' => 'Payment'
]);
$hmac = hash_hmac('sha512', $body, 'your-api-key-secret');Java
java
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
String body = "{\"amount\":10000,\"pix_key\":\"12345678901\",\"description\":\"Payment\"}";
String secret = "your-api-key-secret";
Mac mac = Mac.getInstance("HmacSHA512");
SecretKeySpec keySpec = new SecretKeySpec(secret.getBytes(), "HmacSHA512");
mac.init(keySpec);
byte[] hash = mac.doFinal(body.getBytes());
StringBuilder sb = new StringBuilder();
for (byte b : hash) {
sb.append(String.format("%02x", b));
}
String hmac = sb.toString();C#
csharp
using System.Security.Cryptography;
using System.Text;
var body = "{\"amount\":10000,\"pix_key\":\"12345678901\",\"description\":\"Payment\"}";
var secret = Encoding.UTF8.GetBytes("your-api-key-secret");
using var hmacSha512 = new HMACSHA512(secret);
var hash = hmacSha512.ComputeHash(Encoding.UTF8.GetBytes(body));
var hmac = BitConverter.ToString(hash).Replace("-", "").ToLower();Bash (curl)
bash
BODY='{"amount":10000,"pix_key":"12345678901","description":"Payment"}'
SECRET="your-api-key-secret"
HMAC=$(echo -n "$BODY" | openssl dgst -sha512 -hmac "$SECRET" | awk '{print $2}')
curl -X POST https://api.owem.com.br/api/v2/external/pix/cash-out \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-H "hmac: $HMAC" \
-d "$BODY"验证
API 会将收到的 HMAC 与请求体进行验证。如果签名不匹配:
json
{
"worked": false,
"detail": "HMAC invalido"
}重要提示
- 请求体必须与发送时完全一致(相同的 JSON 序列化)
- API Key 的
client_secret即为 HMAC 密钥 - 签名必须为小写十六进制格式