The X-Gw-Signature request header contains a SHA256 HMAC signature of the X-Gw-Timestamp, request method, endpoint and payload as JSON headers, using your secret key, encoded as hex. If you are sending a GET or DELETE request, the payload will be empty.

For Javascript: Using CryptoJS

require 'date'

api_secret = 'YOUR_SECRET_KEY'
timestamp ='%Q')
method = 'POST'
endpoint = '/api/v1/contractors'
payload = {
  contractor: {
    email: '[email protected]',
    first_name: 'Karen',
    last_name: 'Example'

data = [timestamp, method, endpoint, payload].join
signature = OpenSSL::HMAC.hexdigest("SHA256", api_secret, data)
request['X-Gw-Signature'] = signature
var CryptoJS  = require("crypto-js");
var timestamp = (new Date).getTime().toString();
var method = 'POST';
var endpoint = '/api/v1/contractors';
var payload = JSON.stringify({
  "contractor": {
    "first_name": 'Karen',
    "last_name": 'Example',
    "email": '[email protected]',

var data = [ timestamp, method, endpoint, payload ].join('');
var bytes = CryptoJS.HmacSHA256(data, api_secret);
var signature = bytes.toString(CryptoJS.enc.Hex);