Doubts regarding APIs in Node.js

Hey everyone, if you have doubts regarding usage of Rapyd APIs using Node.js (both JavaScript and TypeScript), add your question in comment and I will try to help you out.


That’s a generous offer, Neel! Thanks for helping out, and best of luck on your project.

Hi Neel,

I am using Stripe right now for my Flutter app but I wish to give Rapyd a try. However, I have issues with the Request Signature. The Node.js codes provided by Rapyd below is in Javascript (I presume). While Typescript should not defer very much, I still encounter problems which I am not even sure what is it. However, I guess it could be the “body”. It says the body is a JSON but what data should go inside here?

var http_method = 'get';                // Lower case.
var url_path = '/v1/data/countries';    // Portion after the base URL.
var salt = CryptoJS.lib.WordArray.random(12);  // Randomly generated for each request.
var timestamp = (Math.floor(new Date().getTime() / 1000) - 10).toString();
                                        // Current Unix time.
var access_key = 'your-access-key';     // The access key received from Rapyd.
var secret_key = 'your-secret-key';     // Never transmit the secret key by itself.
var body = '';                          // JSON body goes here.

if (JSON.stringify( !== '{}' && !== '') {
    body = JSON.stringify(JSON.parse(;

var to_sign = http_method + url_path + salt + timestamp + access_key + secret_key + body;

var signature = CryptoJS.enc.Hex.stringify(CryptoJS.HmacSHA256(to_sign, secret_key));

signature = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(signature));

Aside to that, is it secure to collect the Card details on my app and pass the data to Firebase Cloud Functions which then passes to Rapyd? Any PCI compliance issues?

  • HTTP GET requests do not have a body. If you put an empty object {} in there, it will break the signature. In other requests, the body variable contains the entire JSON string. You will have to experiment a little bit with the whitespace. You also need to verify that you are using the right options for your SHA256 and Base64 functions. These options differ among the many languages and variants.
  • If your client has PCI clearance, you can collect the card details and submit them as part of a payment method object in any API method that supports them. If your client does not have PCI clearance, they will not be able to use any production methods that require card number and other sensitive information.
  • Remember that you are developing a demo or prototype, so your project can be designed either for PCI-certified clients or non-PCI-certified clients, or both. Make it clear when you put together your demo video.

Good luck with your project!