# Generate an HMAC signature This REST API reference describes how to return unique signature and token values that used to process a CORS enabled API call. Endpoint: POST /v1/hmac-signatures Version: 2025-12-17 ## Header parameters: - `Idempotency-Key` (string) Specify a unique idempotency key if you want to perform an idempotent POST or PATCH request. Do not use this header in other request types. With this header specified, the Zuora server can identify subsequent retries of the same request using this value, which prevents the same operation from being performed multiple times by accident. - `Accept-Encoding` (string) Include the Accept-Encoding: gzip header to compress responses as a gzipped file. It can significantly reduce the bandwidth required for a response. If specified, Zuora automatically compresses responses that contain over 1000 bytes of data, and the response contains a Content-Encoding header with the compression algorithm so that your client can decompress it. - `Content-Encoding` (string) Include the Content-Encoding: gzip header to compress a request. With this header specified, you should upload a gzipped file for the request payload instead of sending the JSON payload. - `Authorization` (string) The value is in the Bearer {token} format where {token} is a valid OAuth token generated by calling Create an OAuth token. - `Zuora-Track-Id` (string) A custom identifier for tracing the API call. If you set a value for this header, Zuora returns the same value in the response headers. This header enables you to associate your system process identifiers with Zuora API calls, to assist with troubleshooting in the event of an issue. The value of this field must use the US-ASCII character set and must not include any of the following characters: colon (:), semicolon (;), double quote ("), and quote ('). - `Zuora-Entity-Ids` (string) An entity ID. If you have Zuora Multi-entity enabled and the OAuth token is valid for more than one entity, you must use this header to specify which entity to perform the operation in. If the OAuth token is only valid for a single entity, or you do not have Zuora Multi-entity enabled, you do not need to set this header. ## Request fields (application/json): - `accountKey` (string) Customer account number or ID. Specifies this field only when creating signatures for Create payment method. Example: "A00000001" - `method` (string, required) Possible values are: 'GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'. Example: "POST" - `name` (string) Account name. Specifies this field only when creating signatures for Create account. - `pageId` (string) The page id of your Payment Pages 2.0 form. Click Show Page Id next to the Payment Page name in the Hosted Page List to retrieve the page id. Specifies this field only when creating signatures for RSA Signatures. - `uri` (string, required) The URI of the API object the customer will make a CORS enabled call to. e.g. "https://rest.zuora.com/v1/payment-methods/credit-cards" Example: "https://rest.zuora.com/v1/payment-methods/credit-cards" ## Response 200 fields (application/json): - `signature` (string) Contains a keyed-hash message authentication code (HMAC) e.g. ZmI0ZjE2ZTMxMWY1YjA0ZTc4MTg1ZDhlYWRkMTEwNDE3M2RiMzNiNQ==< - `success` (boolean) Returns true if the request was processed successfully. - `token` (string) Contains a token code. e.g. gCH6gYqQffQCsFKSLuxyagXsuXcIK0uf