Authentication & Security
All requests must be authenticated using your credentials and include the specific Merchant Identifier for routing purposes.
Credentials
Merchants receive:
api_key: Public identifier for your merchant account (String).secret_key: Private key used to sign requests (keep this secret).merchant_identifier: Unique integer ID assigned during onboarding (passed in headers).
Request Headers
Every request requires the following headers:
| Header | Description | Example Value |
|---|---|---|
X-TW-API-Key | Your API Key | ak_live_123456 |
X-TW-Merchant-Identifier | Your Merchant ID (Integer) | 10092 |
X-TW-Timestamp | Unix Timestamp (seconds) | 1701234567 |
X-TW-Signature | HMAC-SHA256 Signature of the body + timestamp | a1b2c3... |
Content-Type | Always JSON | application/json |
Signature Logic: POST requests
string_to_sign = X-TW-Merchant-Identifier + "|" + X-TW-Timestamp + "|" + POST_BODY
signature = hmac_sha256(secret_key, string_to_sign)
GET requests Use full request url with query params instead of body
string_to_sign = X-TW-Merchant-Identifier + "|" + X-TW-Timestamp + "|" + FULL_REQUEST_URL
signature = hmac_sha256(secret_key, string_to_sign)