Security

All API requests must be made over HTTPS (TLS 1.2).

API authentication

Every request to the API must be authenticated using HTTP Message Signatures (RFC 9421). HTTP Message Signatures use an asymmetric signature algorithm where the client signs specific components of the HTTP request with their private key, and the server verifies this signature using the client's public key. This implementation uses RSA-PKCS1-v15 with SHA-256 hashing.

Generate RSA Keys

Generate RSA Keys Generate an RSA key pair for signing requests:

Generate a 2048-bit private key

openssl genrsa -out private-key.pem 2048

Extract the public key

openssl rsa -in private-key.pem -pubout -out public-key.pem

Share the public key (public-key.pem) with developer support by emailing support@nomupay.com. The support team will provide the key identifier (keyId) which must be included in every request.

Required Headers

Each authenticated request must include:

host: The host this request is headed to, without the path. uppos.nomupay.com instead of uppos.nomupay.com/path
date: Timestamp of the request in HTTP date format (e.g., Fri, 24 Jun 2025 12:34:56 GMT).
digest: SHA-256 hash of the request body encoded in base64 format, prefixed with SHA-256=.
Authorization: The signature information in the following format:

Authorization: Signature
keyId="your-key-id",algorithm="rsa-sha256",headers="(request-target) host
date digest",signature="base64-encoded-signature"

The Authorization header contains these parameters:

keyId: The ID to identify the private key used to sign the request.
algorithm: The algorithm used for thesignature. Must be rsa-sha256.
headers: Space-separated list of header names included in the signature. Must include (request-target), host, date, and digest in that order.
signature: Base64-encoded signature of the constructed signing string.

Signature Construction

Create a signing string by concatenating the specified headers in the format:
Generate a SHA-256 hash of this string.
Sign the hash with your RSA private key using PKCS1-v15 padding.
Encode the resulting signature using base64.

Revoke/rotate keys

If your private key has been compromised, generate new keys immediately and contact support@nomupay.com to revoke the old keys.

It's possible to have multiple keys active simultaneously during rotation periods. Generate new keys before revoking old ones to ensure service continuity.

Code Snippets

Node.js

const authenticate = (body) => { const crypto =
        require('crypto'); const fs = require('fs'); const path =
        require('path'); // Generate digest of the request body with base64
        encoded SHA-256 const digest =
        crypto.createHash('sha256').update(body, 'utf8').digest('base64')
                console.log(`Digest: SHA-256=${digest}`); const message =
`(request-target): post /payment host: localhost date: Fri, 6 Jun 2025
11:30:30 +0000 digest: SHA-256=${digest}`; const privateKeyPath =
path.resolve(__dirname ?__dirname : process.cwd(),
        './testdata/test_private.pem'); privateKey =
        fs.readFileSync(privateKeyPath, 'utf8');

        // Create a SHA-256 message digest (hash) of the message, as OpenSSL would do        result = {            message: message,
            digest: digest,
            signature: crypto.sign('sha256',message, privateKey).toString('base64')
        }
        return result;
    }

module.exports = authenticate; (request-target): post /endpoint-path host:
api.example.com date: Fri, 24 Jun 2025 12:34:56 GMT digest:
SHA-256=base64-encoded-hash-of-body

API authentication​

Generate RSA Keys​

Required Headers​

Signature Construction​

Revoke/rotate keys​

Code Snippets​