Skip to main content

Documentation Index

Fetch the complete documentation index at: https://pay-docs.holdstation.com/llms.txt

Use this file to discover all available pages before exploring further.

For signed APIs, partners need to use Ed25519 signature-based authentication instead of JWT. Each request must be cryptographically signed using an Ed25519 private key held by the partner. Holdstation Pay verifies the signature on the server side using the partner’s registered public key. This ensures both the authenticity and integrity of every request, preventing tampering or replay attacks.
Signed API authentication is required in addition to the Partner-App-Key header — all three signed-request headers must be present on every signed request.
Keep your API key secure. Do not expose it in client-side code or public repositories.

Required Headers

Each signed request must include:
HeaderDescription
Partner-App-KeyThe partner’s app key (same as used for other integrations)
X-HSPay-SignatureBase64-encoded Ed25519 signature of the sign data
X-HSPay-TimestampUnix timestamp in seconds. Must be within 60 seconds of the server time
The signature is computed over the sign data, which is built by joining the sorted query string, the raw request body, and the timestamp with \n: 
sign_data = sorted_query_string + "\n" + body + "\n" + timestamp
See Signing Requests for the full signing algorithm and code examples.