Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tender.cash/llms.txt

Use this file to discover all available pages before exploring further.

All requests require authentication using HMAC signature-based authentication. You can get your API credentials (Access ID and Access Secret) from the Tender dashboard. Each request must include these required headers: 
x-access-id: <YOUR_ACCESS_ID>
x-request-id: <UUID_V4>
x-timestamp: <ISO_8601_TIMESTAMP>
authorization: <HMAC_SIGNATURE>
Content-Type: application/json

Request Signing

To protect the integrity of your API requests, Tender uses HMAC-SHA256 signature authentication. This ensures that each request is securely verified and that the data hasn’t been altered in transit. Each request’s headers must include:
  1. x-access-id: Your public API access ID
  2. x-request-id: A unique UUID v4 for each request
  3. x-timestamp: Current timestamp in ISO 8601 format
  4. authorization: Base64-encoded HMAC-SHA256 signature

How Signatures Are Generated

An authorization signature is generated using:
  1. A JSON payload containing the timestamp, request ID, and access ID
  2. Your API secret key
  3. HMAC-SHA256 algorithm
  4. Base64 encoding of the resulting hash
The signed payload structure: 
{
  "timeStamp": "<ISO 8601 timestamp>",
  "requestId": "<UUID v4>",
  "accessId": "<your access ID>"
}

Signature Algorithm

hash = Base64(HMAC_SHA256(JSON.stringify(payload), accessSecret))

Example

import crypto from 'crypto';
import { v4 as uuidv4 } from 'uuid';

function generateSignature(accessId, accessSecret) {
  // Generate request ID and timestamp
  const requestId = uuidv4();
  const timeStamp = new Date().toISOString();
  
  // Create the payload to sign
  const payload = {
    timeStamp: timeStamp,
    requestId: requestId,
    accessId: accessId
  };
  
  // Generate HMAC-SHA256 signature
  const hmac = crypto.createHmac('sha256', accessSecret);
  hmac.update(JSON.stringify(payload));
  const signature = hmac.digest('base64');
  
  return {
    'x-access-id': accessId,
    'x-request-id': requestId,
    'x-timestamp': timeStamp,
    'authorization': signature,
    'Content-Type': 'application/json'
  };
}

// Usage
const accessId = 'YOUR_ACCESS_ID';
const accessSecret = 'YOUR_ACCESS_SECRET';

const headers = generateSignature(accessId, accessSecret);
console.log('Headers:', headers);

// Make API request
const response = await fetch('https://secureapi.tender.cash/v1/api/agent/create', {
  method: 'POST',
  headers: headers,
  body: JSON.stringify({
    firstName: 'John',
    lastName: 'Doe',
    email: 'john@example.com',
    phoneNumber: '1234567890',
    location: 'Lagos',
    address: '123 Main Street',
    country: 'Nigeria'
  })
});

const data = await response.json();
console.log('Response:', data);

Important Notes

  • Keep your Access Secret secure: Never expose it in client-side code or public repositories
  • Generate a new request ID for each request using UUID v4
  • Use ISO 8601 format for timestamps (e.g., 2025-03-15T09:45:53.000Z)
  • Invalid signatures will result in a 401 Unauthorized error
For troubleshooting authentication errors, see the Errors section.