Authentication (HMAC)

Your API token goes in the URL. Only the signed messaging endpoints currently require HMAC headers:

• POST /api/whatsapp/{token}/sendMessage
• POST /api/whatsapp/{token}/sendMedia
• POST /api/whatsapp/{token}/invite-info
• POST /api/whatsapp/{token}/channel-info

Headers

• X-API-Timestamp: milliseconds since epoch (example: Date.now())
• X-API-Signature: hex HMAC-SHA256

Signature

You sign:

timestamp + token + rawBody

Where rawBody is the exact JSON string you send.

Example (Node.js)

import crypto from "crypto";

const token = process.env.DIGICHAT_API_TOKEN;
const secret = process.env.DIGICHAT_API_SECRET;

const timestamp = String(Date.now());
const body = JSON.stringify({
  chatId: "963912345678",
  type: "text",
  text: "Hello!"
});

const signature = crypto
  .createHmac("sha256", secret)
  .update(timestamp + token + body)
  .digest("hex");

// headers:
// X-API-Timestamp: timestamp
// X-API-Signature: signature

Example (PHP)

$timestamp = (string) round(microtime(true) * 1000);
$token = env('DIGICHAT_API_TOKEN');
$secret = env('DIGICHAT_API_SECRET');

$body = json_encode([
  'chatId' => '963912345678',
  'type' => 'text',
  'text' => 'Hello!'
], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES);

$signature = hash_hmac('sha256', $timestamp . $token . $body, $secret);

Common mistakes

• Signing a different JSON than what you actually send (whitespace/order differences).
• Using seconds instead of milliseconds.
• Using a token value that doesn’t match the URL.
• Sending canonical fields in the body but signing a legacy body string, or the reverse.

Session endpoints without HMAC

These endpoints use the token in the URL, but do not require signature headers:

• GET /api/whatsapp/{token}/ping
• POST /api/whatsapp/{token}/start
• GET /api/whatsapp/{token}/status
• GET /api/whatsapp/{token}/qr
• GET /api/whatsapp/{token}/qr/image
• POST /api/whatsapp/{token}/refresh
• POST /api/whatsapp/{token}/terminate

Next SDKS