# Authentication

When making requests to CoinbarPay's API, include the <mark style="color:purple;">SERVICE\_CLIENT\_ID</mark>  and a SIGNATURE\_TOKEN generated by your <mark style="color:orange;">SERVICE\_SECRET\_KEY</mark> in the header of your HTTP requests to authenticate.&#x20;

{% hint style="info" %}
This ensures that only authorized users can access and interact with your CoinbarPay data.
{% endhint %}

## Signature Token

A signature token is a secure way to hash and authenticate requests using a secret key and the serialized body of a request.&#x20;

By using an HMAC (Hash-based Message Authentication Code), it is possible to create a tamper-proof token that can ensure the API call is made from an authorized source.

Take a look at the following example for Node.js that shows how to create an HMAC signature token:

```javascript
const crypto = require('crypto');

// Example Request for Payment Request creation
const requestBody = {
  //Request JSON Object or serialized query string...
};

const secretKey = 'your_secret_key';

// Function to create HMAC signature token
function createSignatureToken(requestBody, secretKey) {
  const serializedRequestBody = JSON.stringify(requestBody);

  const signatureToken = crypto
    .createHmac('sha256', secretKey)
    .update(serializedRequestBody)
    .digest('hex');

  return signatureToken;
}

//SIGNATURE_TOKEN to use as HTTP Header
const SIGNATURE_TOKEN = createSignatureToken(requestBody, secretKey);
```

{% hint style="warning" %}

#### <mark style="color:orange;">Warning</mark>

When calling the CoinbarPay API, be sure to include the generated SIGNATURE\_TOKEN and <mark style="color:purple;">SERVICE\_CLIENT\_ID</mark> in the request headers, so the system can validate the authenticity and integrity of the request.
{% endhint %}

```javascript
const axios = require("axios");

const SERVICE_CLIENT_ID = "your_SERVICE_AUTH_KEY_here";

const requestBody = {
  //Payment JSON Object...
};
const signature_token = createSignatureToken(requestBody, secretKey);

axios.post("https://{{SANDBOX_ENV.BASE_URL}}/{{SANDBOX_ENV.PATH_PAYMENT_EXAMPLE}}", 
  requestBody,
  {
    headers: {
      "CBPAY-API-KEY": `${SERVICE_CLIENT_ID}`
      "SIGNATURE" : `${signature_token}`
  },
})
.then(response => {
  console.log(response.data);
})
.catch(error => {
  console.error(error);
});
```