Authentication
All merchant API requests are authenticated with website-scoped `pk_` and `sk_` credentials.
Required Headers
Headers
Authorization: Bearer pk_xxx
x-api-secret: sk_xxx
x-timestamp: 1710000000
x-signature: <hmac_sha256_hex>
Content-Type: application/jsonSignature Construction
Pseudo Code
canonical = METHOD + "\n" + PATH_WITH_QUERY + "\n" + RAW_BODY + "\n" + TIMESTAMP
signature = HMAC_SHA256_HEX(sk_secret, canonical)