- All API calls use an HMAC authentication strategy with pre-shared API and secret keys.
- Sandbox and production environments have different API credentials. Do not reuse across environments.
- All requests must use HTTPS (TLS 1.2 or higher).
- You must allow outbound connections to the Meridian Base URLs.
- IP whitelisting may be required for production access depending on your program configuration. Meridian provides details if applicable.
| Header | Description |
|---|---|
X-Meridian-Api-Key | Issued by Meridian |
X-Meridian-Timestamp | Current time in milliseconds (must be within 60 seconds of the request) |
X-Meridian-Signature | HMAC SHA-256 signature |
Meridian issues your API Key and Secret during Sandbox and production provisioning.
401 Unauthorized response.
Constructing the signature
Build the canonical string
Compute the signature as an HMAC SHA-256 hash over a canonical string that concatenates the following values in order:
| Signature component | Notes |
|---|---|
API-Key | Same value as X-Meridian-Api-Key |
Timestamp | Same value as X-Meridian-Timestamp |
Request method | Example: GET, POST, PATCH |
Request path | Including any parameters. For example:/v1/users/ususr-s8f9ds7f8sdf789d7fsd89f |
Body contents | The full stringified JSON contents of the request body. If there is no body, this can be an empty string. |
Compute the HMAC
Compute the HMAC using the language-appropriate crypto library with the secret key.
Common errors
The most common causes are:- Canonical string fields concatenated in the wrong order.
- Timestamp too far from the server’s current time.
- Forgetting to compute the HMAC with your unique API Secret.
- Forgetting to SHA-256 hash the final string.