Skip to main content

Documentation Index

Fetch the complete documentation index at: https://apidocs.hopnow.io/llms.txt

Use this file to discover all available pages before exploring further.

For complete implementation guides, code examples, and troubleshooting, see the Authentication Guide in Getting Started.

Overview

The HopNow API uses HMAC-SHA256 signatures to authenticate all requests. Every API request must include four authentication headers.

Required Headers

HeaderDescription
X-API-KeyYour API key identifier
X-SignatureHMAC-SHA256 signature of the request
X-TimestampUnix timestamp when request was created
X-NonceUnique random token (32 hex characters)

Signature Format

The signature is created by hashing the following payload with your API secret: 
{METHOD}{URL}{TIMESTAMP}{NONCE}{BODY}
Components:
  • METHOD: Uppercase HTTP method (GET, POST, PATCH, DELETE)
  • URL: Complete URL including protocol, domain, path, and query parameters
  • TIMESTAMP: Unix timestamp as string
  • NONCE: Unique 32-character hex string (prevents replay attacks)
  • BODY: JSON request body as string (empty string for GET/DELETE)

Quick Example

import hmac
import hashlib
import time
import secrets

def create_signature(method, url, timestamp, nonce, body, api_secret):
    payload = f"{method.upper()}{url}{timestamp}{nonce}{body}"
    signature = hmac.new(
        api_secret.encode('utf-8'),
        payload.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    return signature

# Usage
timestamp = str(int(time.time()))
nonce = secrets.token_hex(16)
signature = create_signature(
    "POST",
    "https://api.hopnow.io/v1/customers/cus_123/accounts",
    timestamp,
    nonce,
    '{"name":"My Account"}',
    "your_api_secret"
)

Security Requirements

  • Timestamp validation: Requests older than 5 minutes are rejected
  • Nonce uniqueness: Each nonce can only be used once within the 5-minute window
  • HTTPS only: All requests must use HTTPS
  • Keep secrets secure: Never expose your API secret in client-side code or logs