For all API requests, it is mandatory to format the header as described below:

FieldMandatoryDescription
AcceptYesAPI version, data type and encoding
Accept-LanguageNoInput language. Default value is EN_US
AuthorizationYesSHA256 generated with a secret key to guarantee request authenticity.
Format: store-id:hash
To generate the authorization, besides the store-id, it is required: secret-key, URL Path (e.g. /transactions), URL Query String (e.g. ?initial_date=yyyy-mm-dd) and Content MD5 (the latter only for POST requests).
The hash is generated using hmac-sha256-algorithm (secret-key, (URL Path + URL Query String + Content MD5)).
Content-TypeYesOnly Application/json is accepted

📘

Mandatory when is post request

Header example

GET / HTTP 1.1
Host: api.boacompra.com
Accept: en-US
Accept-Language: application/vnd.boacompra.com.v1+json; charset=UTF-8
Authorization: 123:ba567109f868df40c7cda9c5563bf2a9cdcb8b6bc68cac4a60091fa519352289
Content-Type: application/json

Example for POST requests

public class Header {
  private String secretKey = "ABCDE0987";
  private String storeId = "10";
  private String contentMD5;
  private String httpVerb;

  public Header(String content, String url) throws NoSuchAlgorithmException, MalformedURLException, UnsupportedEncodingException {
    this.setContentMd5(content);
    this.setHttpVerb(new URL(url));
  }

  private void setHttpVerb(URL url) {
    this.httpVerb = url.getPath() + (url.getQuery() != null ? '?' + url.getQuery() : "");
  }

  private void setContentMd5(String content) throws NoSuchAlgorithmException, UnsupportedEncodingException {
    MessageDigest md = MessageDigest.getInstance("MD5");
    byte messageDigest[] = md.digest(content.getBytes("UTF-8"));
    this.contentMD5 =  new BigInteger(1,messageDigest).toString(16);
  }

  private String generateAuthorization() throws NoSuchAlgorithmException, InvalidKeyException, UnsupportedEncodingException {
    final String data = this.httpVerb+this.contentMD5;
    Mac mac = Mac.getInstance("HmacSHA256");
    mac.init(new SecretKeySpec(this.secretKey.getBytes("UTF8"), "HmacSHA256"));

    return Hex.encodeHexString(mac.doFinal(data.getBytes("UTF-8")));
  }

  public HashMap<String,String> generateHeader() throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
    HashMap<String, String> headers = new HashMap<>();
    headers.put("Accept", "application/vnd.boacompra.com.v2+json; charset=UTF-8");
    headers.put("Content-Type", "application/json");
    headers.put("Authorization", this.storeId+':'+this.generateAuthorization());

    return headers;

  }

}

String content = "{\"transaction-id\":123456789,\"amount\":10.57,\"notify-url\":\"https://virtualstore.com/notifications\",\"test-mode\":0}";

Header header = new Header(content, "https://api.boacompra.com/boa-compra-end-point");
HashMap<String, String> headerMap = header.generateHeader();

System.out.println(Arrays.asList(headerMap));
class header
{
  private $secretKey = 'ABCDE0987';
  private $storeId = 10;

  public function __construct($content, $url)
  {
    $this->setContentMd5($content);
    $this->setHttpVerb($url);
  }

  private function setContentMd5($content)
  {
    $this->contentMd5 = md5($content);
  }

  private function setHttpVerb($url)
  {
    if (parse_url($url, PHP_URL_QUERY)) {
      $this->httpVerb = parse_url($url, PHP_URL_PATH).'?'.parse_url($url, PHP_URL_QUERY);
    } else {
      $this->httpVerb = parse_url($url, PHP_URL_PATH);
    }
  }

  private function generateAuthorization()
  {
    return hash_hmac(
      'sha256',
      $this->httpVerb . $this->contentMd5,
      $this->secretKey
    );
  }

  public function generateHeader()
  {
    $headers = array(
      'Accept' => 'application/vnd.boacompra.com.v2+json; charset=UTF-8',
      'Content-Type' => 'application/json',
      'Authorization' => $this->storeId . ':' . $this->generateAuthorization()
    );
    return $headers;
  }
}

echo 'POST EXAMPLE <br />';
$content = '{"transaction-id":123456789,"amount":10.57,"notify-url":"https://virtualstore.com/notifications","test-mode":0}';

$headerPost = new header($content, 'https://api.boacompra.com/boa-compra-end-point');
print_r($headerPost->generateHeader());
require 'uri'
require 'openssl'
require 'digest/md5'

class Header

  SECRET_KEY = 'ABCDE0987'
  STORE_ID = 10

  attr_reader :contentMD5, :httpVerb

  def initialize(content, url)
    setContentMD5(content)
    setHttpVerb(url)
  end

  private
  def setContentMD5(content)
    @contentMD5 = Digest::MD5.hexdigest(content).to_s
  end

  private
  def getQueryString(url)
    uri = URI(url)
    url.to_s.empty? || uri.query.nil? ? '' : '?' + uri.query
  end

  private
  def setHttpVerb(url)
    uri = URI::parse(url)
    @httpVerb = getQueryString(url).to_s.empty? ? uri.path : uri.path + "?" + getQueryString(url)
  end

  private
  def generateAuthorization()
    OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), SECRET_KEY, @httpVerb + @contentMD5)
  end

  public
  def generateHeader()
    headers = {
      "Accept"           => 'application/vnd.boacompra.com.v2+json; charset=UTF-8',
      "Content-Type"     => 'application/json',
      "Authorization"    => STORE_ID.to_s + ":" + generateAuthorization()
    }
    headers
  end
end

puts '<pre>POST EXAMPLE <br />'
content = '{"transaction-id":123456789,"amount":10.57,"notify-url":"https://virtualstore.com/notifications","test-mode":0}';
headerGet = Header.new(content, 'https://api.boacompra.com/boa-compra-end-point')
puts headerGet.generateHeader()
"""Python 2.7"""
from urlparse import urlparse
import hashlib
import hmac
import md5

class Header:

  __secretKey = '123'
  __storeId = 10

  def __init__(self, content, url):
    self.__setHttpVerb(url)
    self.__setContentMd5(content)

  def __setHttpVerb(self, url):
    urlParsed = urlparse(url)
    self.__httpVerb = urlParsed.path + urlParsed.query

  def __setContentMd5(self, content):
    self.__contentMd5 = md5.new(content).hexdigest()

  def __generateAuthorization(self):
    return hmac.new(
      self.__secretKey,
      self.__httpVerb + self.__contentMd5,
      hashlib.sha256
    ).hexdigest()

  def generateHeader(self):
    return {
      'Accept': 'application/vnd.boacompra.com.v2+json; charset=UTF-8',
      'Content-Type': 'application/json',
      'Authorization': str(self.__storeId) + ':' + self.__generateAuthorization()
    }

from Header import Header

content = '{"transaction-id":123456789,"amount":10.57,"notify-url":"https://virtualstore.com/notifications","test-mode":0}'
url = 'https://api.boacompra.com/boa-compra-end-point'

a = Header(content, url)
print a.generateHeader()
"""Python 3.x"""
from urllib.parse import urlparse
import hashlib
import hmac

class Header:

  __secretKey = '123'
  __storeId = 10

  def __init__(self, content, url):
    self.__setHttpVerb(url)
    self.__setContentMd5(content)

  def __setHttpVerb(self, url):
    urlParsed = urlparse(url)
    self.__httpVerb = urlParsed.path + urlParsed.query

  def __setContentMd5(self, content):
    self.__contentMd5 = hashlib.md5(content.encode()).hexdigest()

  def __generateAuthorization(self):
    authContent = self.__httpVerb + self.__contentMd5

    return hmac.new(
      self.__secretKey.encode(),
      authContent.encode(),
      hashlib.sha256
    ).hexdigest()

  def generateHeader(self):
    return {
      'Accept': 'application/vnd.boacompra.com.v2+json; charset=UTF-8',
      'Content-Type': 'application/json',
      'Authorization': str(self.__storeId) + ':' + self.__generateAuthorization()
    }

from Header import Header

content = '{"transaction-id":123456789,"amount":10.57,"notify-url":"https://virtualstore.com/notifications","test-mode":0}'
url = 'https://api.boacompra.com/boa-compra-end-point'

a = Header(content, url)
print(a.generateHeader())

Errors

Authorization Header

CodeKeyDescription
10001header_authorization_missingMissing header Authorization in request
10002header_authorization_bad_formatAuthorization header bad formation
10003header_authorization_invalidAuthorization header error

Accept Header

CodeKeyDescription
10201header_accept_missingMissing header Accept in request
10202header_accept_application_missingMissing Application on header Accept
10203header_accept_bad_formatHeader Accept with bad format
10204header_accept_format_missingMissing Format on header Accept
10205header_accept_charset_missingMissing Charset on header Accept
10206header_accept_application_invalidInvalid Application on Accept Header
10207header_accept_format_invalidInvalid Format on Accept Header
10208header_accept_charset_invalidInvalid Charset on Accept Header
10209header_accept_version_invalidInvalid Version on Accept Header

Content-Type Header

CodeKeyDescription
10301header_contenttype_missingMissing header Content-Type in request
10302header_contenttype_not_acceptedContent-Type is not accepted

Accept Language

CodeKeyDescription
10401header_language_not_acceptedLanguage not accepted