API Reference
Status Page
Start typing to search…

Authentication

Configure authentication for the Bamboo Payouts API using HMAC SHA-256 signatures and merchant credentials.

All requests sent to the Payouts API must include specific authentication headers to identify the merchant and validate each request.


Required Headers

Key

Value

Description

Content-Type

application/json

Indicates that the request body is formatted in JSON.

Authorization

Basic {{MerchantPrivateKey}}

Use the MerchantPrivateKey provided by Bamboo when your merchant account was created.
Example: Basic RVkeL-s86_iTzSMLvDtuyQ-1zqIcsmF-coSzncn_uFvQnj7b-B3rtZg__

DigitalSignature

{{DigitalSignature}}

HMAC SHA-256 signature used to verify the authenticity of the request. This header is mandatory only for Payout creation.

⚠️

Requests without valid authentication headers will be rejected with HTTP 401 (Unauthorized).


Signing the Message

The digital signature is used to verify the authenticity and integrity of each Payout request.
It must be generated using the HMAC SHA-256 algorithm with the secret-key provided by Bamboo during onboarding.

Include the following fields from the request body when building the signature:

ParameterDescription
countryCountry code where the payout is processed.
amountTotal amount of the payout.
currencyCurrency code in ISO-4217 format.
referenceUnique reference identifier for the payout.
typePayout type (for example, BANK, WALLET, or CARD).

The resulting hash must be converted to a hexadecimal string and sent in the header DigitalSignature.


Example: Signature Generation

// Parse the JSON request body
var json = JSON.parse(request.data);

// Build the data object with required parameters
let signdata = {
  Country: json.country,
  Amount: json.amount,
  Currency: json.currency,
  Reference: json.reference,
  Type: json.type
};

// Serialize the data and create the HMAC SHA-256 signature
var data = JSON.stringify(signdata);
var hexHash = CryptoJS.HmacSHA256(data, secret_key);
var hash = hexHash.toString(CryptoJS.enc.Hex);

// Result to include in the DigitalSignature header
console.log("DigitalSignature:", hash);

Example Header

DigitalSignature: 64f1f2a0c5a548e59be3c146a7dcf8827f7e8d3d01a6b2c2d8b87a4b93a07b22


What’s Next

Once your authentication setup is ready, continue with the following steps to complete your Payouts integration.

Payout Request

Learn how to create and send payout requests using the authenticated headers.

Test the API

Try real examples in the API Reference and validate your integration in the staging environment.

Country Considerations

Review country-specific fields, supported currencies, and local compliance rules.