Send a message

Use your API key as the Bearer token. You can view your API key and secret in your Zenzap organization API key settings.

HMAC-SHA256 signature for request verification.

HMAC signature of the request for authentication and replay protection.

Replay Protection: The signature includes a timestamp to prevent replay attacks. Requests with timestamps older than 5 minutes are rejected.

The signature payload differs by HTTP method:

• POST/PUT/PATCH/DELETE: HMAC-SHA256 of {timestamp}.{body}
• GET: HMAC-SHA256 of {timestamp}.{uri}

The signature is calculated as:

1. Get the current Unix timestamp in milliseconds
2. Determine the payload:
   • For POST/PUT/PATCH/DELETE: Use {timestamp}.{body} where body is the request body
   • For GET: Use {timestamp}.{uri} where uri is the full request URI (e.g., /v2/members?limit=10)
3. Calculate HMAC-SHA256 of the combined payload using your API secret
4. Hex-encode the output
5. Include the timestamp in the X-Timestamp header

Example for GET request to /v2/members?limit=10:

timestamp = 1699564800000
payload = "1699564800000./v2/members?limit=10"
signature = HMAC-SHA256(secret, payload)
X-Signature: hex(signature)
X-Timestamp: 1699564800000

Example for POST request with body {"topicId":"123","text":"Hello"}:

timestamp = 1699564800000
payload = '1699564800000.{"topicId":"123","text":"Hello"}'
signature = HMAC-SHA256(secret, payload)
X-Signature: hex(signature)
X-Timestamp: 1699564800000

For multipart/form-data requests, sign the exact raw request body bytes (including boundaries and file bytes) as transmitted.

Unix timestamp in milliseconds when the request was created. Used for replay protection - requests older than 5 minutes are rejected.