Overview

Spritz Finance API (1.0.0)

API for the Spritz Finance platform with RFC 9457 error handling

• OpenAPI version: 3.0.3

Authentication

bearerAuth

Cognito JWT token for regular user authentication

Security scheme type: http

Bearer format: JWT

integratorJwt

Integrator JWT token (prefix: spr_) for frontend integrator authentication. Obtained via token exchange endpoint.

Security scheme type: http

Bearer format: JWT

hmacAuth

HMAC signature authentication for backend integrators.

Required Headers:

• X-Integrator-Key: Integrator API key (format: int_…)
• X-Signature: HMAC signature (format: sha256={hex})
• X-Timestamp: Unix timestamp in milliseconds
• Authorization: Bearer {user-api-key}

Signature Algorithm: HMAC-SHA256

Signature Format: {timestamp}.{METHOD}.{path}.{bodyHash}

• timestamp: Unix timestamp in milliseconds
• METHOD: HTTP method in UPPERCASE (GET, POST, etc.)
• path: Request path (e.g., /v1/transactions)
• bodyHash: SHA256 hex digest of request body (empty string if no body)

Timestamp Tolerance: ±5 minutes (300 seconds)

Example: For POST /v1/transactions with body {“amount”:100} and timestamp 1234567890000: Payload: 1234567890000.POST./v1/transactions.{sha256(body)} Signature: sha256=abc123…

Security scheme type: apiKey

Header parameter name: X-Signature

integratorKey

Integrator API key (format: int_…) used with HMAC authentication

Security scheme type: apiKey

Header parameter name: X-Integrator-Key

legacyIntegratorAuth

Legacy integrator authentication for SDK backwards compatibility.

Required Headers:

• X-INTEGRATION-KEY: Integration key
• Authorization: Bearer {user-api-key}

No HMAC signing required. Less secure than HMAC auth — use only for legacy SDK migration.

Security scheme type: apiKey

Header parameter name: X-INTEGRATION-KEY

timestamp

Unix timestamp in milliseconds for replay attack prevention. Must be within 5 minutes of server time.

Security scheme type: apiKey

Header parameter name: X-Timestamp