Base URLs

Requests are made over HTTPS to the following endpoints. Please use the URLs exactly as they appear below.

Environment	Base URL
Sandbox	https://www.sandbox.striga.com/api/v1
Sandbox Dashboard	https://portal.striga.com
Production	Please contact us

Request Headers

All API requests must be accompanied by the following headers -

Header Parameter	description
api-key	Your API key as visible on your dashboard's credential section
Authorization	A signature generated using the `API Secret` from your dashboard's credential section. More information below on generating a signature.
Content-Type	application/json

🚧
API Keys
The sandbox and production environments mirror each other, except for the base URL and your API keys. Please contact us on support@striga.com to elevate your application to production

👍
Doppler
We strongly recommend using a secrets manager to manage API keys and secrets. Plain text files like dotenv lead to accidental costly leaks. Use Doppler (https://www.doppler.com/l/partner-program) for a developer friendly experience. AWS and Google Cloud have native solutions as well.

📘
Calculating HMAC on Striga v1
Please note that from v1 onwards, the root of the URL that includes /api/v1 is NOT included in the calculation of the HMAC, unlike in v0.

Calculating your request signature

You can calculate the value of the Authorization header above by creating a SHA256HMAC digest (MD5) of your request body, signed with your API Secret, in the following manner -

Fetch the current UNIX timestamp

const time = Date.now().toString();

Stringify the body of your request. For Example:

const bodyString = JSON.stringify(body);

// For a GET request, please use an empty body such as:
// const bodyString = JSON.stringify({});

Calculate the hex encoded MD5 digest of your request body exactly as it will be sent. For GET requests, please include an empty body '{}' that evaluates to an MD5 of 99914b932bd37a50b983c5e7c90ae93b.

const requestContentHexString = CryptoJS.MD5(bodyString).toString(CryptoJS.enc.Hex);

// For a GET request, the bodyString above for example would just be '{}' and the calculated MD5 is 99914b932bd37a50b983c5e7c90ae93b

Concatenate the UNIX timestamp with the request verb, path and the requestContentHexString

const signatureRawData = time + 'POST' + '/card/create' + requestContentHexString;

User your API Secret to create a SHA256 HMAC digest in hex

const apiSecret = '<YOUR_API_SECRET>';
const requestSignatureHexString = CryptoJS.HmacSHA256(signatureRawData, apiSecret).toString(CryptoJS.enc.Hex);

Finally, create your authorization header as follows, using the verb 'HMAC ' concatenated with the timestamp and the requestSignatureHexString, separated by a :

const authorizationHeader = 'HMAC ' + time + ':' + requestSignatureHexString;

Putting it all together:

import crypto from 'crypto';

const hmac = crypto.createHmac('sha256', '<YOUR_API_SECRET>');
const time = Date.now().toString();

hmac.update(time);
hmac.update('POST');
hmac.update('/ping');

const contentHash = crypto.createHash('md5');
contentHash.update(JSON.stringify({
    "dummy": 1,
    "data": 2
}));

hmac.update(contentHash.digest('hex'));

console.log(`HMAC ${time}:${hmac.digest('hex')}`);