Skip to main content

Authentication

All API requests to TxnCheck must be authenticated using an API key. This page explains how to obtain and use your API keys, and optionally how to sign requests for enhanced security.

Obtaining API Keys

API keys are provided by the TxnCheck team during merchant onboarding. Self-registration is not available.
To obtain your API keys:
  1. Contact your TxnCheck account manager
  2. Or visit TxnCheck Dashboard
Once your account is set up, you can view your API keys in the Merchant Dashboard under Settings → API Keys.

API Key Authentication

Include your API key in the X-API-Key header with every request: 
curl -X POST "https://api.txncheck.in/api/v1/upi-by-mobile" \
  -H "X-API-Key: fb_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{"mobile": "+919876543210"}'

Request Signing (Optional)

For enhanced security, you can sign your requests using HMAC-SHA256. When enabled for your merchant account, signed requests are required.

Signature Headers

HeaderDescription
X-API-KeyYour API key (always required)
X-TimestampCurrent Unix timestamp in milliseconds
X-SignatureHMAC-SHA256 signature of the request

Signature Algorithm

The signature is computed as: 
signature = HMAC-SHA256(timestamp.METHOD.path.body, api_secret)
Where:
  • timestamp - The value of X-Timestamp header
  • METHOD - HTTP method in uppercase (e.g., POST)
  • path - Full request path including query string (e.g., /api/v1/upi-by-mobile)
  • body - JSON stringified request body (or {} if empty)
  • api_secret - Your API secret key

Signing Examples

const crypto = require('crypto');

function signRequest(method, path, body, apiSecret) {
  const timestamp = Date.now().toString();
  const bodyString = JSON.stringify(body || {});
  const signaturePayload = `${timestamp}.${method}.${path}.${bodyString}`;
  
  const signature = crypto
    .createHmac('sha256', apiSecret)
    .update(signaturePayload)
    .digest('hex');
  
  return { timestamp, signature };
}

// Usage
const { timestamp, signature } = signRequest(
  'POST',
  '/api/v1/upi-by-mobile',
  { mobile: '+919876543210' },
  'your_api_secret_here'
);

const response = await axios.post(
  'https://api.txncheck.in/api/v1/upi-by-mobile',
  { mobile: '+919876543210' },
  {
    headers: {
      'X-API-Key': 'fb_your_api_key_here',
      'X-Timestamp': timestamp,
      'X-Signature': signature,
      'Content-Type': 'application/json'
    }
  }
);

Timestamp Validation

Signed requests must include a timestamp within 5 minutes of the current server time. Requests with expired timestamps will be rejected with a 401 Unauthorized error.

Method Access Control

Your API key may be configured with access to specific verification methods. If you attempt to use a method not enabled for your account, you’ll receive a 403 Forbidden error. Contact your account manager to request access to additional methods.

IP Whitelisting

For enhanced security, you can configure IP whitelisting for your merchant account. When enabled, API requests will only be accepted from your whitelisted IP addresses.
IP whitelisting is configured in the Merchant Dashboard under Settings → Security.

Error Responses

Authentication errors return standard HTTP status codes:
Status CodeDescription
401 UnauthorizedMissing or invalid API key
401 UnauthorizedInvalid or expired signature
403 ForbiddenAPI key lacks access to requested method
403 ForbiddenRequest from non-whitelisted IP
Example Error Response
{
  "statusCode": 401,
  "message": "Invalid API key",
  "error": "Unauthorized"
}

Best Practices

Use Environment Variables

Store API keys in environment variables, never in code

Enable Request Signing

Use HMAC signatures for production integrations

Use IP Whitelisting

Restrict API access to known IP addresses

Monitor API Usage

Track usage in the dashboard for anomalies