The Embedded Account Capture Session API uses the same HMAC-SHA512 request signing as all Ingo Payments products. Authentication is required only for the server-side Session Create call — the iFrame SDK itself handles recipient-side interactions without additional signing.Documentation Index
Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt
Use this file to discover all available pages before exploring further.
Your HMAC credentials are provisioned by your Ingo integration manager
at onboarding. The secret is used locally to sign requests and is never
transmitted.
The
Authorization header and signature construction are identical across
all Ingo products. See the IngoPay API Authentication
page for the complete step-by-step signature guide, full request example,
and common error reference.Authorization header format
Required headers
| Header | Description |
|---|---|
X-Date | Current timestamp in GMT/RFC 1123 format. ±300s clock skew allowed. |
Content-sha512 | Base64-encoded SHA-512 hash of the raw request body (RAW output, not hex). |
Content-Length | Byte length of the request body. |
Content-Type | Always application/json. |
Authorization | HMAC-SHA512 signature header (constructed last). |
Environments
| Environment | Base URL |
|---|---|
| Sandbox | https://payapi-sandbox.ingo.money |
| Production | https://payapi.ingo.money |
iFrame SDK authentication
The iFrame SDK is initialized using theauthorized_url returned from the
Session Create API. The SDK handles its own session authentication
transparently — no additional HMAC signing is required from the client
browser. All browser-to-Ingo communication is handled within the iFrame
over HTTPS.