Computing the digest

Guideline for generating the message digest

The signed Authorization header includes, among other claims, a sha256 digest of the HTTP request (note: the Finqware API only uses POST application/json requests similar to a GraphQL API).


  1. take the json payload and compress it to a single-line json without any whitespaces

    • make sure you do not remove any useful whitespaces (eg: from a debtor name when submitting a payment)

    • it is recommended to use a standard json library to do that instead of your own regex

      # Python example
      http_payload = {
        "client_id": "51e2389....02d51",
        "client_app_key": "MDAxNmxvY2F0aWMz...D9rgv7_DySaiYgo", 
        "skill": "bt_ro_aisp_sbx_#2.0"
      # a compact stringified json without any whitespaces 
      compact_http_payload = json.dumps(http_payload, separators=(',', ':')).encode("utf-8")
  2. compute a Base64 (not URL-safe) encoded SHA-256 hash of the compressed json format

    digest = hashlib.sha256(compact_http_payload).digest()
    b64_digest = base64.b64encode(digest).decode("utf-8")


  • make sure your HTTP client sends the request with the json keys in the same order as in the payload used when computing the digest

Last updated