Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developers.ingopayments.com/llms.txt

Use this file to discover all available pages before exploring further.

All Ingo Payments APIs use HMAC-SHA512 request signing. This is not an API-key-in-header pattern — every request must be signed using a shared secret that never leaves your server. The Authorization header carries the result of that signing process.
Your HMAC credentials are provisioned by your Ingo integration manager at onboarding. You will receive a username and a secret. The secret is used locally to sign requests and is never transmitted.

Credentials

CredentialDescription
usernameIdentifies your integration in the Authorization header
secretUsed locally to sign each request. Never transmitted.
participant_idNumeric identifier included in the request body

Authorization header format

Every request must include an Authorization header in this exact format: 
hmac username="{username}", algorithm="hmac-sha512", headers="{header_string}", signature="{signature}"
Example: 
Authorization: hmac username="test", algorithm="hmac-sha512", headers="request-line x-date content-type content-sha512 content-length", signature="hAMqhSX6eogO1QpES9Dg9WynJWJPNxFLe1wtV4ppfvmGmqpYCiJYm6lqrHNjcmQUZCyMBdK86Zkm+m3BJwj3XA=="
ParameterValue
usernameYour Ingo-issued username
algorithmAlways hmac-sha512
headersSpace-separated list of signed header names (see below)
signatureBase64-encoded HMAC-SHA512 signature (see below)

Building the signature — step by step

1

Assemble required headers

Every request must include these headers. Generate them before signing:X-Date — Current timestamp in GMT/RFC 1123 format. Ingo allows a clock skew of ±300 seconds. Requests outside this window are rejected to prevent replay attacks. Use X-Date rather than Date to avoid conflicts with HTTP libraries.
X-Date: Fri, 17 Jan 2020 19:59:29 GMT
Content-sha512 — Base64-encoded SHA-512 hash of the raw request body. Ingo uses this to verify body integrity — if the hashes don’t match, the request is rejected. Use RAW (not hex) output from your hashing library before Base64 encoding.
Content-sha512: HpXfYk7qDatRNVlGHQOv3ELyAVd+JCdUcpHB5PMnu08EYbfH...
Content-Length — Byte length of the request body.
Content-Length: 398
Content-Type — Always application/json.
Content-Type: application/json
2

Build the header string

The header string is a space-separated, lowercase list of the header names you are signing, in the order they appear in the signature string. Always begin with request-line.
request-line x-date content-type content-sha512 content-length
This exact string becomes the headers parameter value in your Authorization header.
3

Build the signature string

The signature string is constructed by concatenating the values of each item in the header string, separated by newline characters \n. No trailing newline.For request-line — append the HTTP request line:
POST /gateway/verify HTTP/1.1
For each header — append lowercased-header-name: value:
x-date: Fri, 17 Jan 2020 19:59:29 GMT
content-type: application/json
content-sha512: HpXfYk7qDatRNVlGHQOv3ELyAVd+JCdUcpHB5PMnu08EYbfH...
content-length: 398
Concatenated signature string:
POST /gateway/verify HTTP/1.1\nx-date: Fri, 17 Jan 2020 19:59:29 GMT\ncontent-type: application/json\ncontent-sha512: HpXfYk7qDatRNVlGHQOv3ELyAVd+JCdUcpHB5PMnu08EYbfH...\ncontent-length: 398
4

Hash and encode the signature string

Sign the signature string using HMAC-SHA512 with your secret key. Base64-encode the result.
Use RAW output from your HMAC library — not hex. Base64-encoding hex output will produce an incorrect signature.
The resulting value is your signature parameter:
hAMqhSX6eogO1QpES9Dg9WynJWJPNxFLe1wtV4ppfvmGmqpYCiJYm6lqrHNjcmQUZCyMBdK86Zkm+m3BJwj3XA==
5

Assemble the Authorization header

Combine all parameters into the Authorization header:
Authorization: hmac username="test", algorithm="hmac-sha512", headers="request-line x-date content-type content-sha512 content-length", signature="hAMqhSX6eogO1QpES9Dg9WynJWJPNxFLe1wtV4ppfvmGmqpYCiJYm6lqrHNjcmQUZCyMBdK86Zkm+m3BJwj3XA=="

Full request example

POST /gateway/verify HTTP/1.1
Host: payapi-sandbox.ingo.money
Authorization: hmac username="test", algorithm="hmac-sha512", headers="request-line x-date content-type content-sha512 content-length", signature="hAMqhSX6eogO1QpES9Dg9WynJWJPNxFLe1wtV4ppfvmGmqpYCiJYm6lqrHNjcmQUZCyMBdK86Zkm+m3BJwj3XA=="
X-Date: Fri, 17 Jan 2020 19:59:29 GMT
Content-sha512: HpXfYk7qDatRNVlGHQOv3ELyAVd+JCdUcpHB5PMnu08EYbfHID7zQJXihCxjmGKRULH+QFYxYch05aDPKjWb+Q==
Content-Length: 398
Content-Type: application/json

{
  "participant_id": 00000,
  "account_type": "CA",
  "recipient_first_name": "Tom",
  "recipient_last_name": "Smith",
  "account": "4264531111111115",
  "expiration_date": "2212",
  "cvv": "000",
  "recipient_address1": "123 Main St.",
  "recipient_city": "Smallville",
  "recipient_state": "TX",
  "recipient_zip": "93245",
  "recipient_phone": "8015555555",
  "participant_unique_id1": "0001",
  "timestamp": 1579291169,
  "version": "11"
}

Environments

EnvironmentBase URL
Sandboxhttps://payapi-sandbox.ingo.money
Productionhttps://payapi.ingo.money
Use sandbox credentials for all development and testing. Production credentials are issued after sandbox certification is complete.

Common errors

ErrorCauseFix
401 UnauthorizedInvalid signatureVerify secret, signature string construction, and RAW (not hex) HMAC output
401 Clock skewX-Date outside ±300s windowSync your server clock with NTP
400 Body hash mismatchContent-sha512 doesn’t match bodyRecompute hash from the exact body bytes being sent
400 Missing headerRequired header absentEnsure X-Date, Content-sha512, Content-Length, and Content-Type are all present

Implementation notes

  • The secret is never included in the request — only used locally to generate the signature
  • Include participant_id in the request body, not in the headers
  • Additional headers beyond the required set may be included and signed — add them to the header string in the order they appear
  • The header string order in your Authorization header must exactly match the order used to build your signature string