# Headers

All KwikPaisa API requests must include the required authentication headers to securely communicate with the KwikPaisa infrastructure.

These headers are used to:

* Identify your merchant account
* Validate request authenticity
* Verify payload integrity
* Prevent replay attacks
* Secure API communication

Every request sent to KwikPaisa APIs must include a valid:

* API Key
* Timestamp
* HMAC SHA256 Signature

Missing or invalid headers may result in authentication failure.

***

## Required Headers

```http
Content-Type: application/json
Accept: application/json
X-API-KEY: pk_test_xxxxxxxxx
X-SIGNATURE: GENERATED_SIGNATURE
X-TIMESTAMP: GENERATED_TIMESTAMP
```

## Header Reference

| Header         | Required | Description                             |
| -------------- | -------- | --------------------------------------- |
| `Content-Type` | Yes      | Must always be `application/json`       |
| `Accept`       | Yes      | Defines expected API response format    |
| `X-API-KEY`    | Yes      | Your unique KwikPaisa API key           |
| `X-SIGNATURE`  | Yes      | HMAC SHA256 generated request signature |
| `X-TIMESTAMP`  | Yes      | Current UNIX timestamp in seconds       |

***

## X-API-KEY

The `X-API-KEY` uniquely identifies your merchant account within the KwikPaisa platform.

This key is provided during merchant onboarding and is required for all API requests.

### Example

```
X-API-KEY: pk_test_xxxxxxxxx
```

### Important Notes

* Sandbox and production API keys are different
* Invalid API keys may result in:

```
401 Unauthorized
```

* Never expose production API keys publicly

***

## X-TIMESTAMP

The `X-TIMESTAMP` header contains the current UNIX timestamp in seconds.

KwikPaisa validates timestamps to:

* Prevent replay attacks
* Verify request freshness
* Improve API security

### Example

```
X-TIMESTAMP: 1778659835
```

### Important Notes

* Timestamp must be generated dynamically
* Use UNIX seconds format only
* Expired timestamps may be rejected
* Server time should remain synchronized

***

## X-SIGNATURE

The `X-SIGNATURE` header contains the HMAC SHA256 generated request signature.

This signature verifies:

* Merchant authenticity
* Request integrity
* Payload validity

The signature is generated using:\
➡️ Authentication → [Signature](/v3-guide/authentication/signature.md)

### Example

```
X-SIGNATURE: 623a603fa35bb5ab736a1272dcd797908ab9af4b0247a55bcfc8676cd821a39b
```

### Important Notes

* Signatures must always be generated server-side
* Never expose your secret key publicly
* Payload modifications after signing will invalidate the request
* Invalid signatures may result in:

```
401 Unauthorized
```

***

## Content-Type

KwikPaisa APIs accept JSON request payloads only.

### Required Value

```
Content-Type: application/json
```

Requests using unsupported content types may fail validation.

***

## Accept Header

The `Accept` header specifies the expected API response format.

### Required Value

```
Accept: application/json
```

***

## Example Request

```
curl --request POST \--url https://sandbox.kwikpaisa.com/api/v3/pg/order/create \--header "Content-Type: application/json" \--header "Accept: application/json" \--header "X-API-KEY: pk_test_xxxxxxxxx" \--header "X-SIGNATURE: GENERATED_SIGNATURE" \--header "X-TIMESTAMP: GENERATED_TIMESTAMP" \--data '{  "order_id": 6116229263036,  "order_amount": 105,  "order_currency": "INR",  "order_note": "Additional order info",  "service_type": "DIGITAL",  "customer": {    "name": "Ajay",    "email": "developer@jangras.co",    "phone": "9816512345"  }}'
```

***

## Common Authentication Errors

### 401 Unauthorized

Possible reasons:

* Invalid API key
* Incorrect signature
* Expired timestamp
* Missing authentication headers

***

### 400 Bad Request

Possible reasons:

* Invalid JSON payload
* Missing required fields
* Incorrect request structure

***

## Security Recommendations

* Always generate signatures server-side
* Never expose secret keys publicly
* Use HTTPS only
* Generate fresh timestamps for every request
* Validate webhook signatures before processing callbacks


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developers.kwikpaisa.com/v3-guide/authentication/headers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.