4.1 API Prerequisites

Item Requirement
App Token Sumsub app token for the correct environment. Sandbox tokens usually begin with sbx: and production tokens with prd:.
Secret Key Used to generate HMAC-SHA256 request signatures.
Base URL https://api.sumsub.com. Environment is determined by token prefix, not a different hostname.
Level name Example: payblr-kyc-individuals-poa-batch.
HTTP client Must support HTTPS, custom headers, JSON, multipart/form-data, and UTC-synced timestamps.

Store credentials in a secrets manager. Never embed the app token or secret key in frontend or mobile code.

4.2 API Authentication

Every Sumsub API request requires the following headers:

Header Description
X-App-Token App token.
X-App-Access-Ts Unix timestamp in seconds, UTC.
X-App-Access-Sig Lowercase hex HMAC-SHA256 signature.

Signature Format

payload = bytes(timestamp + METHOD + path + body)
signature = HMAC_SHA256(secretKey, payload) -> lowercase hex

Rules