We do not sell, distribute, or share our API with third parties; this infrastructure is privately maintained for HimoSoft, and this documentation is for reference purposes only and does not represent the complete documentation.

Authentication

The HimoSoft API uses HMAC-SHA256 signatures to authenticate merchant requests. Every incoming request must present an X-HMAC-Signature header generated from your secure key.

Required Header: X-HMAC-Signature
Encryption Method: HMAC-SHA256
Signature Calculation python 
# Python Example
import hmac, hashlib

timestamp = "1714764000"
body = '{"amount": "10.00"}'
secret = "himo_sk_..."

payload = timestamp + body
signature = hmac.new(
    secret.encode(), 
    payload.encode(), 
    hashlib.sha256
).hexdigest()
Post /v1/payments/

Create a Payment

This endpoint creates a brand-new secure payment lifecycle token. The API returns a direct checkout_url for browser redirection where users select card, mobile banking, or crypto.

Arguments & Parameters
amount required string (decimal)
currency required string (ISO 4217)
idempotency_key optional string
Request Body
{
  "amount": "1500.00",
  "currency": "BDT",
  "order_id": "TRANS_001",
  "callback_url": "https://yoursite.com/hook",
  "idempotency_key": "unique_8822"
}
Response
{
  "id": "pay_9k2l1...",
  "status": "pending",
  "amount": "1500.00",
  "checkout_url": "https://pay.devlab.himelrana.com/checkout/9k..."
}

Errors

HimoSoft uses standard HTTP status envelopes to represent authentication, processing, and transaction lifecycle errors.

200 - OK Request completed successfully.
400 - Bad Request Missing parameters or malformed payloads.
401 - Unauthorized HMAC validation failed or signature is invalid.
404 - Not Found The requested transaction record does not exist.
Error Response
{
  "error": "invalid_signature",
  "message": "HMAC validation failed. Check credentials."
}

Idempotency

Safely retry payment creation without executing transactions twice using secure transactional tokens.

Specify an `idempotency_key` string parameter when calling the checkout creator. If the node matches a previous key within 24 hours, it responds with the cached checkout URL.

Idempotency Retention SLA

Keys are fully unique across merchant IDs and automatically garbage collected after exactly 24 hours.

Get /v1/payments/{id}/

Retrieve a Payment

Returns the current transaction state from the database.

Response JSON
{
  "id": "pay_9k2l1...",
  "status": "completed",
  "amount": "1500.00",
  "currency": "BDT",
  "created_at": "2026-05-03T19:30:00Z"
}
Post /v1/payments/{id}/verify/

Verify Status (DB-only)

Performs an instant database status retrieval. This endpoint serves as a highly optimized, rate-limit-free verification check specifically designed for instant merchant redirects.

Status Result
{
  "id": "pay_9k2l1...",
  "status": "completed",
  "external_id": "ch_3O2...",
  "verification_time": "2026-05-04T01:40:00Z"
}
Post /v1/payments/{id}/recheck/

Live Recheck (Gateway query)

Forces a live, direct request from the gateway to the active provider node (Stripe, BKash, etc.) to query real-time gateway records and reconcile any offline state changes. Recommended for asynchronous webhooks and customer retry flows.

Live Verification Response
{
  "id": "pay_9k2l1...",
  "status": "completed",
  "reconciled": true,
  "external_id": "tr_bkash_9281...",
  "recheck_time": "2026-05-18T10:46:00Z"
}