Authentication Headers

Authentication information is sent via custom HTTP request headers — not inside the request body itself.

Tranzila uses a secure access-token mechanism to ensure authentication, prevent replay attacks (processing the same request more than once), and guard against man-in-the-middle attacks.

Every merchant must enroll in Tranzila API Services and obtain both a public key and a secret key from Tranzila.

• The public key is included in each request header and is visible in transit.
• The secret key is used only internally — by your server application — to sign each request. It must never be exposed client-side.

Important: Keep your secret key secure at all times and never share it. Because the secret key must remain on the server, you cannot call the Tranzila API directly from a browser or web client — all API calls must be made through a server-side proxy.

Required Headers

Generating a Valid Access Token

The access token is computed as follows:

access_token = HMAC-SHA256( message: app_key, key: secret + timestamp + nonce )

Output must be hex-encoded.

Code Examples

<?php
$json   = trim(isset($_POST['jsontext']) ? $_POST['jsontext'] : '');
$time   = time();
$appKey = '<public app key>';
$secret = '<private app key>';
$nonce  = bin2hex(random_bytes(40)); // produces an 80-character hex string

$accessToken = hash_hmac('sha256', $appKey, $secret . $time . $nonce);

$ch = curl_init('<<service endpoint URL>>');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLINFO_HEADER_OUT, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $json);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'Content-Length: ' . strlen($json),
    'X-tranzila-api-app-key: '      . $appKey,
    'X-tranzila-api-request-time: ' . $time,
    'X-tranzila-api-nonce: '        . $nonce,
    'X-tranzila-api-access-token: ' . $accessToken,
));

$data = curl_exec($ch);
curl_close($ch);