Skip to content
>
Mode: standard

Authentication

HMAC-SHA256

Authenticate every request.

The CoinPayments API requires three request headers and a unique HMAC signature on every authenticated call. The signature is computed with your integration's client secret and proves both identity and integrity of each request.

Prerequisite

Do this first
Create an API Integration

Create an integration on the CoinPayments dashboard to receive your clientId and clientSecret. Every authenticated request is bound to a specific integration.

Try it · Signature Playground

Web Crypto · client-side
Fact-check your integration's signature

Provide the same inputs your code uses, see the canonical message we sign, the Base64 signature CoinPayments expects, and a one-click diff against whatever your integration computed. Everything runs in the browser via Web Crypto — your client secret never leaves this page.

Use a test secret here, not your production secret. The math is identical, so a deliberately placeholder secret is enough to verify your code is correct.
Canonical message
6 inputs · no separators
  • 1BOMconstant\ufeff
  • 2MethodrequestPOST
  • 3URLendpointhttps://a-api.coinpayments.net/api/v2/merchant/wallets
  • 4Client IDrequest4f8b9d2e-1234-5678-9abc-def012345678
  • 5Timestamprequest2026-06-19T19:19:19
  • 6Raw bodyrequest{"currency":"4","label":"Online Shop Wallet"}
Concatenated164 chars
\ufeffPOSThttps://a-api.coinpayments.net/api/v2/merchant/wallets4f8b9d2e-1234-5678-9abc-def0123456782026-06-19T19:19:19{"currency":"4","label":"Online Shop Wallet"}
Expected signature
(rendered on hydration)

This is the value to send as the X-CoinPayments-Signature header for the inputs above.

Paste your integration's signature
Waiting
Need the full math? See Generate API Signature for the worked example in (and a step-by-step walk-through of the same flow you just ran here).
Public endpoints do not require authentication. You can call them without any headers or signature.