Overview

An access key public key is a secure method of communication with our API. You can generate keys from the Dashboard once you’ve created your account and logged in.

Here’s an example of how to include the secret key in your API requests:

Make requests

All requests must contain the following headers:

  • X-Access-Key - an app token that you generate in the Dashboard.
  • X-Access-Signature - a request signature in the HEX format and lowercase.
  • X-Access-Ts - a number of seconds since Unix Epoch in UTC.

Sign requests

The value of the X-Access-Signature header is generated with the sha256 HMAC algorithm using a secret key on the bytes obtained by concatenating the following information:

  • A timestamp (value of the X-Access-Ts header) taken as a string.
  • An HTTP method name in upper-case, e.g. GET or POST.
  • URI of the request without a host name, starting with a slash and including all query parameters, e.g. /api/v1/pay/confirm-status?TransactionRef=exampleRef
  • Request body, taken exactly as it will be sent. If there is no request body, e.g., for GET requests, do not include it.
/**
* Refactored Cepta Adapter Test Client
* Tested with Node.js 18+
*/

const axios = require('axios');
const crypto = require('crypto');
const FormData = require('form-data');

// App credentials and base URL
const APP_PUBLIC_KEY = 'test_pubk_xxx';
const APP_SECRET_KEY = 'test_scrk_xxxx';
const APP_BASE_URL = 'https://adapter.cepta.co';

// Axios client
const apiClient = axios.create({
baseURL: APP_BASE_URL,
headers: {
'Accept': 'application/json',
'X-Access-Key': APP_PUBLIC_KEY,
},
});

// 🔐 Interceptor for automatic signing
apiClient.interceptors.request.use(
(config) => {
console.log(`[REQUEST] ${config.method.toUpperCase()} ${config.url}`);
return createSignature(config);
},
(error) => {
console.error('Request interceptor error:', error.message);
return Promise.reject(error);
}
);

// Function to create HMAC signature
function createSignature(config) {
console.log('🔑 Creating a signature for the request...');

const ts = Math.floor(Date.now() / 1000); // Unix timestamp (seconds)
const urlObj = new URL(config.url, config.baseURL || APP_BASE_URL);
const path = urlObj.pathname;

// Create HMAC SHA256 signature
const hmac = crypto.createHmac('sha256', APP_SECRET_KEY);

// Base string format: timestamp + method + path + (body if present)
hmac.update(ts + config.method.toUpperCase() + path);

if (config.data instanceof FormData) {
// For multipart/form-data
hmac.update(config.data.getBuffer());
} else if (config.data) {
// For JSON or text
const dataString =
typeof config.data === 'string' ? config.data : JSON.stringify(config.data);
hmac.update(dataString);
}

const signature = hmac.digest('hex');

// Inject headers
config.headers['X-Access-Ts'] = ts;
config.headers['X-Access-Signature'] = signature;

console.log(`🕒 Timestamp: ${ts}`);
console.log(`🔏 Signature: ${signature}`);
console.log('----------------------------------');

return config;
}

// 💳 Purchase API
async function purchase(reqBody) {
console.log('🚀 Initiating purchase request...');
return apiClient.post('/api/v1/pay', reqBody, {
headers: {
'Content-Type': 'application/json',
},
});
}

// 📦 Confirm status API
async function confirmStatus(transactionRef) {
console.log('📡 Getting transaction status...');
return apiClient.get('/api/v1/pay/confirm-status', {
params: { TransactionRef: transactionRef },
});
}

// 🧭 Entry point
async function main() {
try {
const purchaseRequest = {
amount: 100,
currency: 'NGN',
description: 'test sample',
pageName: '',
transactionReference: 'TX12345ABZIRITCZ',
customerEmail: '[email protected]',
customUrlText: 'callback',
callbackUrl: 'https://api.example.com',

};

const purchaseResponse = await purchase(purchaseRequest);
console.log('✅ Purchase Response:\n', purchaseResponse.data);

const sampleRef = 'xgdadfdvcdfdsddgd';
const statusResponse = await confirmStatus(sampleRef);
console.log('✅ Status Response:\n', statusResponse.data);
} catch (error) {
console.error('❌ Error--:', error.message);
if (error.response) {
console.error('Response Data:', error.response.data);
console.error('Status:', error.response.status);
}
}
}

main();

Always protect your secret keys These keys grant access to your project and its associated resources, so they should never be shared or exposed in public repositories. Treat your keys as sensitive information to avoid unauthorized access to your account.

IntroductionPagination