Using Signature (Recommended)

If you use one of the supplied SDKs, there is no reason to use the code in the following section as the signature can be generated by calling the generate_signature function. The generated signature has to be passed as a string in your request.


To communicate with our system we require a signature on each request to ensure that both parties are who they say they are. To calculate your signature, you will need your partner ID and API Key for Signature, both of which are available on the portal.

API Key for Signature

You can find and generate your an API key here. The key is unique to each environment, so you will need a different key for the sandbox and production environments. You can rotate your API key any time, however your previous key will be immediately disabled.

Partner ID

You will need to know your partner ID, to create the signature. Your partner ID can be viewed when logged into the portal. To calculate your signature you will need to input your partner ID as a string, as explained below

Your partner ID: 085

String Value of your partner ID: "085"

Generating the signature

Follow the steps below to generate your signature

  1. Create a timestamp in an ISO date format

  2. Create a new hmac-sha256 hash function using Signature API Key.

  3. Update the function message with timestamp created in 1, your partner Id, and "sid_request" string

  4. Base64 encode the encrypted hash

Example code for creating the signature

require 'openssl'
require 'time'
require 'base64'

timestamp =
api_key = '<Your Signature API Key>'
partner_id = '<Your partner id>'
hmac =, 'sha256')
hmac.update(timestamp) hmac.update(partner_id)

signature = Base64.strict_encode64(hmac.digest())

Reminder: You must pass the signature as a string in your request. Your timestamp should be a string in the ISO format "yyyy-MM-dd'T'HH:mm:ss.fffK"

Confirming an incoming signature

To verify the authenticity of the response received from your callback as genuinely originating from Smile ID, you can confirm the returned signature and timestamp. The sample codes provided below can be used to confirm the signature in the request:

Example code for confirming the signature

require 'openssl'
require 'time'
require 'base64'

# Example inputs - replace these with actual received values
# The signature received in the callback response
received_signature = ""
# The actual timestamp received in the callback response
received_timestamp = ""

# Your partner ID
partner_id = ""
# Your api key for the environment in concern (sandbox / production)
api_key = ""

# Function to verify the signature
def confirm_signature(received_signature, received_timestamp, partner_id, api_key)
  hmac =, 'sha256')

  generated_signature = Base64.strict_encode64(hmac.digest)

  received_signature == generated_signature

# print out a confirmation status
is_signature_valid = confirm_signature(received_signature, received_timestamp, partner_id, api_key)
puts "Is the signature valid? #{is_signature_valid}"

Reminder: You must pass the received signature, received timestamp, partner id and api key as strings.

Last updated