OptionalcontentSent Content-Type; omit/empty when the request has no body.
The Date header value being sent (RFC-1123 GMT).
OptionalgcsSigned x-gcs-* headers (e.g. the idempotence key), keyed by header name.
Upper-case HTTP method.
Absolute resource path, e.g. /v2/{merchantId}/payments (no query string).
Worldline Direct "v1HMAC" request authentication, built on WebCrypto so the server adapter runs on edge runtimes (no
node:crypto, noBuffer).The signature covers a canonical string assembled from the request, each line terminated by
\n, in this exact order:Dateheader value (RFC-1123 GMT)x-gcs-*header, canonicalized aslowercased-key:value(value trimmed, internal whitespace collapsed to single spaces), sorted alphabetically by key, each terminated with\n/v2/{merchantId}/payments)There is a trailing
\nafter the path. The digest is HMAC-SHA256 over the UTF-8 bytes, base64-encoded, and carried asAuthorization: GCS v1HMAC:{apiKeyId}:{signature}.Worldline also accepts an
X-GCS-Datesigned header in place of theDateHTTP header (line 3 stays empty andx-gcs-datejoins the canonical block) — useful on edge runtimes that forbid setting theDaterequest header. The documentedDate-header form is implemented here as the default.