DigiChat Documentation
Authentication

Signing headers and examples.

Postman OpenAPI
Docs

Authentication (HMAC)

Your API token goes in the URL. Some endpoints (like sendMessage) also require a signature.

Headers

  • X-API-Timestamp: milliseconds since epoch (example: Date.now())
  • X-API-Signature: hex HMAC-SHA256

Signature

You sign:

timestamp + token + rawBody

Where rawBody is the exact JSON string you send.

Common mistake
If you re-serialize JSON (different spacing / key order), the signature won’t match. Sign the exact string you send.

Example (Node.js)

import crypto from "crypto";

const token = process.env.DIGICHAT_API_TOKEN;
const secret = process.env.DIGICHAT_API_SECRET;

const timestamp = String(Date.now());
const body = JSON.stringify({ phone: "963912345678", message: "Hello!" });

const signature = crypto
  .createHmac("sha256", secret)
  .update(timestamp + token + body)
  .digest("hex");

// headers:
// X-API-Timestamp: timestamp
// X-API-Signature: signature

Example (PHP)

$timestamp = (string) round(microtime(true) * 1000);
$token = env('DIGICHAT_API_TOKEN');
$secret = env('DIGICHAT_API_SECRET');

$body = json_encode([
  'phone' => '963912345678',
  'message' => 'Hello!'
], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);

$signature = hash_hmac('sha256', $timestamp . $token . $body, $secret);

Common mistakes

  • Signing a different JSON than what you actually send (whitespace/order differences).
  • Using seconds instead of milliseconds.
  • Using a token value that doesn’t match the URL.
Next SDKS