All the requests sent by Bidco include a "hmac" header which is generated from a secret key (hmacKey) shared by the Bidco Server and the merchant, along with the data sent in the request.

To verify that the request came from Bidco, compute the HMAC digest according to the algorithm specified below and compare it to the value in the "hmac" header. If they match, you can be sure that the json message was sent from Bidco and the data has not been compromised.

  1. Concatenate the hmacKey + jsonEntityString together (In getProduct request this will be null as you do not get an entity from us)
  2. With the algorithm Sha-256 hash the (hmacKey + jsonEntityString) to give you an array of bytes
  3. Convert this to Base64

Example of header sent by Bidco Integration Server

hmac: oDsiHGxurnEiylFpXUVtUiLlJIiRNjlJRLL5djtINhU=

Hmac key implementation in different programming languages:

Java (JDK 1.8)

public String hmacSha256(String secretKey, String message) throws NoSuchAlgorithmException, UnsupportedEncodingException {
    MessageDigest md = MessageDigest.getInstance("SHA-256");
    String content = message + secretKey;
    byte[] digest = md.digest();
    return Base64.getEncoder().encodeToString(digest);


    $hmac_key = "12345abc";
    $body = '';
    $calculatedHmac = base64_encode(hash ('sha256', $hmac_key . $body, true));
    //print $calculatedHmac;


  secretKey = "{SECRET KEY GOES HERE}";
  givenString = "{JSON PAYLOAD GOES HERE}";
  hash256 = HASH( secretKey & givenString, "SHA-256" );
  hashOutput = binaryEncode( binaryDecode( hash256, "hex" ), "base64" );
  //writeDump( hashOutput );


using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
public class PowaTagEncrypt {
  public static void Main() {
    String hashOutput = Base64SHA256( "{SECRET KEY GOES HERE}", "{JSON PAYLOAD GOES HERE}" );
  public static String Base64SHA256(String hmacKey, String body) {
    String result;
    String value = hmacKey + body;
    using (SHA256 hash = SHA256Managed.Create()) {
      Encoding enc = Encoding.UTF8;
      Byte[] bytes = hash.ComputeHash(enc.GetBytes(value));
      result = Convert.ToBase64String(bytes);
    return result;


import hashlib
import base64
secretKey = "{SECRET KEY GOES HERE}"
givenString = "{JSON PAYLOAD GOES HERE}"
hashOutput = base64.b64encode( hashlib.sha256(  secretKey + givenString ).digest() )
# print hashOutput


require 'Base64'
require 'digest'
secretKey = "{SECRET KEY GOES HERE}"
givenString = "{JSON PAYLOAD GOES HERE}"
hashOutput = Base64.encode64( Digest::SHA256.digest secretKey + givenString )
# puts hashOutput


var crypto = require('crypto');
var secretKey = "{SECRET KEY GOES HERE}";
var givenString = "{JSON PAYLOAD GOES HERE}";
var hashOutput = crypto.createHash('sha256').update(secretKey + givenString).digest('base64');