URL signature

If your widget URL contains sensitive information such as receiveWalletAddress, we strongly recommend using the signature parameter.

You can generate a signature of the URL server-side, which must be appended to the end of the URL. If the signature is provided, we'll check the validity of the query string to make sure it has not been altered.

How to generate signatures

Compute an HMAC with a SHA-256 hash function. Use your signature_secret as the key, and use the original query string as the message.

NOTE: Certain cloud providers and their API gateway may change the order of our parameters resulting in a failed signature validation.

Example with NodeJS

import crypto from 'crypto';

const originalUrl = 'https://onramp.pokoapp.xyz/?apiKey=abc&receiveWalletAddress=0x9D731d97&userId=test_userId';
const signature_secret = 'YOUR_ACCOUNT_signature_secret';

const signature = crypto
    .createHmac('sha256', signature_secret)
    .update(new URL(originalUrl).search)
    .digest('hex');

const urlWithSignature = `${originalUrl}&signature=${signature}`;