400 Bad Request
Request body is invalid JSON
{"error":"Bad content format", "code":"bad_content_format"}
This error can occur for the following reasons:
- Malformed or invalid JSON. The request body could not be parsed. Ensure it is valid JSON.
- Missing Content-Type header. The
Content-Type header must be set to application/json.
403 Forbidden
Signature header does not match the request body
{"error":"Bad signature header", "code":"bad_header_signature"}
The value in X-Processing-Signature did not match the request body. See Authentication for how to generate the signature correctly. This can happen for several reasons:
- Signature not converted to string. The signature is generated from a data array without first converting it to a string. Ensure the signature value is sent as a string.
- Body modified after signing. The signed body must be identical to the body that is sent — no reformatting, whitespace changes, or field reordering.
- Extra characters or spaces. A code error introduces unexpected characters or spaces. Review your implementation and verify no extra characters are present.
- Signature built from the full data array. The signature is created from the entire data array — including the public key and headers — instead of the secret key only. Generate the signature exclusively from the secret key.
- Public key in wrong parameter (PHP). In some languages such as PHP, the public key may be mistakenly included in
paramsArray instead of the request body. Pass the public key in the correct location.
- Wrong secret key or environment. Sandbox and production use separate key pairs. Make sure you are using the correct set for the environment you are targeting.
{"error":"No signature header", "code":"required_header_signature"}
The request does not include the required X-Processing-Signature header. Add it with an HMAC-SHA512 signature of the request body.
{"error":"Bad key header", "code":"bad_header_key"}
The value in X-Processing-Key did not match any known API key. This can happen for several reasons:
- Non-whitelisted IP. If you have configured an IP whitelist in the Merchant Dashboard, requests from any unlisted IP will be rejected. Add the IP to the whitelist, use an already-whitelisted IP, or remove the whitelist entirely.
- Wrong environment. Production keys will not work against the sandbox endpoint, and vice versa. Check that the base URL matches the environment your keys belong to.
- Incorrect or malformed public key. Verify you are using the correct key. It contains both upper and lower case characters and must be sent exactly as provided — avoid any case transformation in your code.
- Secret key used instead of public key. The
X-Processing-Key header must contain your public key only. The secret key is used exclusively to generate and verify signatures. Refer to Get your API key for details.
{"error":"No key header", "code":"required_header_key"}
This error can occur for the following reasons:
- Missing X-Processing-Key header. Add the
X-Processing-Key header with your public API key.
- Invalid request URL. Verify the endpoint URL is correct.
Last modified on June 30, 2026