# Authorization

## API Authentication

Authentication is done using an API key and a secret key. To generate this pair, read [API Setup](https://docs.aquapay.io/integration-guide/api-setup).

As an example, we will use the "/payment/v1/requestPaymentAddress" endpoint to show how to authenticate. This can be used for all endpoints that requires authentication.

These are encoded as HTTP headers named:

* x-nonce
* x-api-key
* x-signature

### Code Example

{% tabs %}
{% tab title="Javascript" %}

```javascript
require("isomorphic-fetch");
const crypto = require("crypto");

async function sendRequest() {
  const apiKey = "YOUR_API_KEY";
  const apiSecret = "YOUR_API_SECRET";

  const path = "/payment/v1/requestPaymentAddress";
  const nonce = Date.now().toString();
  const httpMethod = "POST";

  const signatureContent = JSON.stringify({
    httpMethod,
    path,
    nonce,
  });

  const sig = crypto
    .createHmac("sha384", apiSecret)
    .update(signatureContent)
    .digest("hex");

  try {
    const res = await fetch(`https://api-staging.aquanow.io${path}`, {
      method: httpMethod,
      headers: {
        "x-nonce": nonce,
        "x-api-key": apiKey,
        "x-signature": sig,
      },
      body: JSON.stringify({
        cryptoType: "BTC",
        fiat: "CAD",
        fiatReceivable: 5,
        subaccount: "YOUR_CUSTOM_PAYMENT_ID",
      }),
    });
    if (res.status !== 200) {
      throw new Error(`${(await res.json()).message} status ${res.status}`);
    }
    const result = await res.json();
    console.log("Result: ", result);
  } catch (error) {
    console.log("error", error);
  }
}

sendRequest();
```

{% endtab %}

{% tab title="PHP" %}

```php
<?php require_once 'vendor/autoload.php';
use GuzzleHttp\Client;
$method = 'GET';
$endpoint = '/payment/v1/payment';
$nonce = round(microtime(true) * 1000);
$apiKey = 'YOUR_API_KEY';
$apiSecret = 'YOUR_API_SECRET';
$content = [
    'httpMethod' => $method,
    'path' => $endpoint,
    'nonce' => (string) $nonce,
];
$json = json_encode($content, JSON_UNESCAPED_SLASHES);
$signature = hash_hmac('sha384', $json, $apiSecret);

$client = new Client([
    'base_uri' => 'https://api-staging.aquanow.io',
    'headers' => [
        'x-nonce' => $nonce,
        'x-api-key' => $apiKey,
        'x-signature' => $signature,
    ],
]);

try {
    $response = $client->request('GET', $endpoint, [
        'query' => [
            'startTime' => 1628654316000,
            'endTime' => 1628654346000,
        ],
    ]);

    echo $response->getBody();
} catch (RequestException $error) {
    echo $error
        ->getResponse()
        ->getBody()
        ->getContents();
} catch (\Exception $error) {
    echo $error->getResponse()->getBody();
}

```

{% endtab %}
{% endtabs %}

### Common Auth Errors

#### 401

HTTP401 usually happens when invalid auth credentials are in the request auth headers. You will also receive 401 when `nonce` in calculating auth credentials are outdated.&#x20;

#### 403

HTTP403 usually happens when a request is blocked by IP whitelist or an incorrect URL/HTTP method.