LogoLogo
  • Welcome!
  • GETTING STARTED
    • Signing Up
    • Choose a Product
    • Choose an Integration Option
    • Run Your First Test Job
    • Complete Your KYC
    • Fund Your Wallet
    • Go Live!
    • Pricing
  • SUPPORTED ID TYPES & DOCUMENTS
    • For Individuals (KYC)
      • Using ID Number
        • Supported Countries
          • Côte d'Ivoire
            • National ID (without Photo)
            • Resident ID (without Photo)
          • Ghana
            • Ghana Card
            • Passport
            • Voter's ID
          • Kenya
            • Alien Card
            • KRA Pin
            • National ID
            • National ID (without Photo)
            • Passport
            • Tax Information
          • Nigeria
            • Bank Account
            • BVN
            • NIN V2
            • NIN Slip Verification
            • V_NIN (Virtual NIN)
            • Phone Number
            • Voter's ID
          • South Africa
            • National ID
            • National ID (without Photo)
            • Phone Number
          • Uganda
            • National ID (without Photo)
            • Basic KYC in Uganda
          • Zambia
            • Bank Account
            • TPIN
          • Zimbabwe
            • National ID (without Photo)
        • Test Data
          • Customising Sandbox Test Data
        • ID Number Regex
        • Visual Samples of Supported ID Types
      • Using Document Image
        • Continents
          • Africa
          • Asia and the Middle East
          • Europe
          • North America
          • Oceania
          • South America
    • For Businesses (KYB)
      • Supported Countries
        • Nigeria
          • Business Registration
          • Tax Information
        • Kenya
          • Business Registration
        • South Africa
          • Business Registration
      • ID Number Regex
  • PRODUCTS
    • For Individuals (KYC)
      • AML Check
        • AML News Media
      • Basic KYC
      • Biometric KYC
      • Digital Address Verification
      • Document Verification
        • Document Verification
        • Enhanced Document Verification
      • Electronic Signature
      • Enhanced KYC
      • Phone Number Verification
      • SmartSelfie™ Authentication
      • SmartSelfie™ Compare
      • Smile Secure
    • For Businesses (KYB)
      • Business Verification
  • Integration Options
    • Mobile
      • Getting Started
      • Products
        • Biometric KYC
        • BVN Consent
        • Document Verification
        • Enhanced Document Verification
        • Enhanced KYC
        • SmartSelfie™ Enrollment and Authentication
        • Enhanced SmartSelfie™ Enrollment And Authentication
      • Customization
        • UI Components
      • Offline Mode
      • Release Notes
        • Android Release Notes
        • iOS Release Notes
        • Flutter Release Notes
        • React Native Release Notes
    • No-Code
      • Smile Links
        • Link FAQs
        • Rest API
    • Server to Server
      • Ruby
        • Installation
        • Signature
        • Products
          • Basic KYC
          • Enhanced KYC
          • Biometric KYC
          • Document Verification
          • SmartSelfie™ Authentication
          • KYB - Business Verification
          • AML Check
        • Generate Token for Web Integration
        • Utilities
      • Python
        • Installation
        • Signature
        • Products
          • Basic KYC
          • Enhanced KYC
          • Biometric KYC
          • Document Verification
          • SmartSelfie™ Authentication
          • Business Verification
        • Generate Token for Web Integration
        • Utilities
      • Java
        • Release Notes
        • Installation
        • Signature
        • Products
          • Basic KYC
          • Enhanced KYC
          • Biometric KYC
          • Document Verification
          • SmartSelfie™ Authentication
        • Generate Token for Web Integration
        • Utilities
      • Node.js
        • Installation
        • Signature
        • Products
          • Basic KYC
          • Enhanced KYC
          • Biometric KYC
          • Document Verification
          • Enhanced Document Verification
          • SmartSelfie™ Authentication
          • Business Verification
        • Generate Token for Web Integration
        • Utilities
      • PHP
        • Installation
        • Signature
        • Products
          • Basic KYC
          • Enhanced KYC
          • Biometric KYC
          • Document Verification
          • SmartSelfie™ Authentication
        • Generate Token for Web Integration
        • Utilities
    • Rest API
      • Signing your API Request
        • Using Signature
      • Products
      • Postman Collection
      • Utilities
    • Web / Mobile Web
      • Web Integration
        • Installation
        • Usage
        • End User Consent
        • Support
      • Javascript SDK
        • Installation
        • Usage
        • Migration
        • Deprecated Version
          • Installation
          • Usage
          • Notes
          • Support
  • FURTHER READING
    • FAQs
      • What are your support hours?
      • How do I set up a callback?
      • How to re-enroll, deactivate or delete a user?
      • Add or remove team members
      • What are top-level keys?
      • What are partner_params?
      • How do job types map to the new product names?
      • Is there an API I can use to monitor my wallet balance?
      • Is there an API I can query to check the availability status of an ID type?
      • How do I integrate Smile ID in other countries or query other ID types?
      • What are the image types I can upload to Smile ID?
      • Why aren't Kenyan IDs returning images for some IDs queried?
      • Why are some of my bank verification requests returning 'ID authority unavailable'?
      • How can I look up a specific user's data?
      • Selfie best-practices
      • Document capture best-practices
      • What happens under the hood?
      • Guide to the user consent screen
      • What is code 2302?
      • Using the Demo App and Scanning QR codes
    • Job status
    • KYC receipts
    • Result codes
      • Error codes
    • Securing your account with two-factor authentication (2FA)
    • Security Overview
    • Troubleshooting
      • Troubleshooting error 2204 & 2205 - "You're not authorized to do that"
      • Why is my Web API job taking so long?
      • Image capture issues on web client
Powered by GitBook
On this page
  • Overview
  • API Key for Signature
  • Partner ID
  • Generating the signature
  • Confirming an incoming signature

Was this helpful?

  1. Integration Options
  2. Rest API
  3. Signing your API Request

Using Signature

PreviousSigning your API RequestNextProducts

Last updated 13 days ago

Was this helpful?

If you use one of the supplied SDKs, there is no reason to use the code in the following section as the signature can be generated by calling the generate_signature function. The generated signature has to be passed as a string in your request.

Overview

To communicate with our system we require a unique signature on each request to ensure that both parties are who they say they are. This signature should be generated at the time of the job submission. To calculate your signature, you will need your partner ID and API Key for Signature, both of which are available on the .

API Key for Signature

Partner ID

Your partner ID: 085

String Value of your partner ID: "085"

Generating the signature

Follow the steps below to generate your signature

  1. Create a timestamp in an ISO date format

  2. Update the function message with timestamp created in 1, your partner Id, and "sid_request" string

  3. Base64 encode the encrypted hash

Example code for creating the signature

require 'openssl'
require 'time'
require 'base64'

timestamp = Time.now.to_s
api_key = '<Your Signature API Key>'
partner_id = '<Your partner id>'
hmac = OpenSSL::HMAC.new(api_key, 'sha256')
hmac.update(timestamp) hmac.update(partner_id)
hmac.update("sid_request")

signature = Base64.strict_encode64(hmac.digest())
let crypto = require("crypto");
let timestamp = new Date().toISOString();
let api_key = "<Your Signature API Key>";
let partner_id = "<Your partner id>";
let hmac = crypto.createHmac("sha256", api_key);

hmac.update(timestamp, "utf8");
hmac.update(partner_id, "utf8");
hmac.update("sid_request", "utf8");

let signature = hmac.digest().toString("base64");
import base64
import hashlib
import hmac
from datetime import datetime, timezone

timestamp = datetime.now(timezone.utc).isoformat()
partner_id = "<Your partner id>"
api_key = "<Your Signature API Key>"
hmac_new = hmac.new(api_key.encode("utf-8"), digestmod=hashlib.sha256)
hmac_new.update(timestamp.encode("utf-8"))
hmac_new.update(str(partner_id).encode("utf-8"))
hmac_new.update("sid_request".encode("utf-8"))

calculated_signature = base64.b64encode(hmac_new.digest()).decode("utf-8")
$api_key = "<Your Signature API Key>";
$partner_id = "<Your partner id>";
$timestamp = time();
$message = $timestamp.$partner_id."sid_request";
$signature = base64_encode(hash_hmac('sha256', $message, $api_key, true));
String apiKey = "<Your Signature API Key>";
String partnerId = "<Your partner id>";
Long timestamp = System.currentTimeMillis();
Mac mac = Mac.getInstance("HmacSHA256");
mac.init(new SecretKeySpec(apiKey.getBytes(), "HmacSHA256"));
mac.update(new SimpleDateFormat(DATE_TIME_FORMAT).format(timestamp).getBytes(StandardCharsets.UTF_8));
mac.update(partnerId.getBytes(StandardCharsets.UTF_8));
mac.update("sid_request".getBytes(StandardCharsets.UTF_8));
String signature = Base64.getEncoder().encodeToString(mac.doFinal());
using System;
using System.Security.Cryptography;
using System.Text;

namespace csharp_sample
{
    class Program
    {
        static void Main(string[] args)
        {
            string timeStamp = DateTime.UtcNow.ToString("yyyy-MM-dd'T'HH:mm:ss.fffZ", System.Globalization.CultureInfo.InvariantCulture);
            string apiKey = "<API-Key>";
            string partnerID = "<partner-id>";
            string data = timeStamp + partnerID + "sid_request";

            UTF8Encoding utf8 = new UTF8Encoding();
            Byte[] key = utf8.GetBytes(apiKey);
            Byte[] message = utf8.GetBytes(data);

            HMACSHA256 hash = new HMACSHA256(key);
            var signature = hash.ComputeHash(message);

            Console.WriteLine("Signature: " + Convert.ToBase64String(signature));
	    Console.WriteLine("TimeStamp: " + timeStamp);

        }
    }
}

Reminder: You must pass the signature as a string in your request. Your timestamp should be a string in the ISO format "yyyy-MM-dd'T'HH:mm:ss.fffZ"

Confirming an incoming signature

To verify the authenticity of the response received from your callback as genuinely originating from Smile ID, you can confirm the returned signature and timestamp. The sample codes provided below can be used to confirm the signature in the request:

Example code for confirming the signature

require 'openssl'
require 'time'
require 'base64'

# Example inputs - replace these with actual received values
# The signature received in the callback response
received_signature = ""
# The actual timestamp received in the callback response
received_timestamp = ""

# Your partner ID
partner_id = ""
# Your api key for the environment in concern (sandbox / production)
api_key = ""

# Function to verify the signature
def confirm_signature(received_signature, received_timestamp, partner_id, api_key)
  hmac = OpenSSL::HMAC.new(api_key, 'sha256')
  hmac.update(received_timestamp)
  hmac.update(partner_id)
  hmac.update("sid_request")

  generated_signature = Base64.strict_encode64(hmac.digest)

  received_signature == generated_signature
end

# print out a confirmation status
is_signature_valid = confirm_signature(received_signature, received_timestamp, partner_id, api_key)
puts "Is the signature valid? #{is_signature_valid}"
const crypto = require("crypto");

// Inputs received along with the request
let received_signature = ""; // The signature received in the callback response
let received_timestamp = ""; // The actual timestamp received in the callback response

let partner_id = ""; // Your partner ID
let api_key = ""; // Your api key for the environment in concern (sandbox / production)

function confirmSignature(
  received_signature,
  received_timestamp,
  partner_id,
  api_key
) {
  let hmac = crypto.createHmac("sha256", api_key);
  hmac.update(received_timestamp, "utf8");
  hmac.update(partner_id, "utf8");
  hmac.update("sid_request", "utf8");

  // Generate the signature based on received data
  let generated_signature = hmac.digest().toString("base64");

  // Compare the generated signature with the received signature
  return generated_signature === received_signature;
}

const is_signature_valid = confirmSignature(
  received_signature,
  received_timestamp,
  partner_id,
  api_key
);
console.log(`Is the signature valid? ${is_signature_valid}`);
import base64
import hashlib
import hmac

# The signature received in the callback response
received_signature = ""
# The actual timestamp received in the callback response
received_timestamp = ""

# Your partner ID
partner_id = ""
# Your api key for the environment in concern (sandbox / production)
api_key = ""

def confirm_signature(received_signature, received_timestamp, partner_id, api_key):
    # Recreate the HMAC object with the same parameters
    hmac_new = hmac.new(api_key.encode("utf-8"), digestmod=hashlib.sha256)
    hmac_new.update(received_timestamp.encode("utf-8"))
    hmac_new.update(str(partner_id).encode("utf-8"))
    hmac_new.update("sid_request".encode("utf-8"))

    # Generate the signature again
    generated_signature = base64.b64encode(hmac_new.digest()).decode("utf-8")

    # Compare the provided signature with the generated one
    return hmac.compare_digest(received_signature, generated_signature)

# print out a confirmation status
is_signature_valid = confirm_signature(received_signature, received_timestamp, partner_id, api_key)
print(f"Is the signature valid? {is_signature_valid}")
<?php

// Assume these values are received with the request
$receivedSignature = ""; // The signature received in the callback response
$receivedTimestamp = ""; // The actual timestamp received in the callback response

$partnerId = ""; // Your partner ID
$apiKey = ""; // Your api key for the environment in concern (sandbox / production)

function confirmSignature(string $receivedSignature, string $receivedTimestamp, String $partnerId, string $apiKey): bool
{
    // Concatenate the received data to form the message
    $message = $receivedTimestamp . $partnerId . "sid_request";

    // Generate the HMAC hash of the message
    $generatedSignature = base64_encode(hash_hmac('sha256', $message, $apiKey, true));

    // Compare the received signature with the generated signature and return boolean response
    return ($generatedSignature === $receivedSignature);
}

//print out a confirmation status
$is_signature_valid = confirmSignature($receivedSignature, $receivedTimestamp, $partnerId, $apiKey) ? 'True' : 'False';
echo "Is the signature valid? ".$is_signature_valid;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.util.Base64;

public class ConfirmSignature {

    public static void main(String[] args) {
        String receivedSignature = ""; // The signature received in the callback response
        String receivedTimestamp = ""; // The actual timestamp received in the callback response
        String partnerId = ""; // Your partner ID
        String apiKey = ""; // Your api key for the environment in concern (sandbox / production)

        Boolean isSignatureValid = confirmSignature(receivedSignature, receivedTimestamp, partnerId, apiKey);
        System.out.println("Is the signature valid? " + isSignatureValid);
    }

    public static boolean confirmSignature(String receivedSignature, String receivedTimestamp, String partnerId,
            String apiKey) {
        try {
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(new SecretKeySpec(apiKey.getBytes(), "HmacSHA256"));
            mac.update(receivedTimestamp.getBytes(StandardCharsets.UTF_8));
            mac.update(partnerId.getBytes(StandardCharsets.UTF_8));
            mac.update("sid_request".getBytes(StandardCharsets.UTF_8));

            // Generate the signature based on received data
            String generatedSignature = Base64.getEncoder().encodeToString(mac.doFinal());

            // Compare the generated signature with the received signature
            return generatedSignature.equals(receivedSignature);
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }
}

using System;
using System.Security.Cryptography;
using System.Text;
using System.Linq;

public static bool confirmSignature(string receivedSignature, string receivedTimestamp, string partnerID, string apiKey)
{
    // Use the signature and timestamp from the response sent to you via the webhook
    // This method returns true if the signature is fine and has not been tampered with
    bool err = false;

    string data = receivedTimestamp + partnerID + "sid_request";

    UTF8Encoding utf8 = new UTF8Encoding();
    Byte[] key = utf8.GetBytes(apiKey);
    Byte[] message = utf8.GetBytes(data);

    HMACSHA256 hash = new HMACSHA256(key);
    var generatedSignature = hash.ComputeHash(message);

    byte[] oldSignature = System.Convert.FromBase64String(receivedSignature);

    err = !oldSignature.SequenceEqual(generatedSignature);
    return !err;

}

Reminder: You must pass the received signature, received timestamp, partner id and api key as strings.

You can find and generate your an API key . The key is unique to each environment, so you will need a different key for the sandbox and production environments. You can rotate your API key any time, however your previous key will be immediately disabled.

You will need to know your partner ID, to create the signature. Your partner ID can be viewed when logged into the . To calculate your signature you will need to input your partner ID as a string, as explained below

Create a new hmac-sha256 hash function using .

here
portal
Signature API Key
portal