HTTP status: 401 · Title: “Request signature invalid”Documentation Index
Fetch the complete documentation index at: https://docs.kash.bot/llms.txt
Use this file to discover all available pages before exploring further.
When it fires
X-Kash-Signature was present but did not verify against the API key plaintext over the canonical signing input ${ts}.${method}.${path}.${body}.
Signing is opt-in: requests without X-Kash-Signature skip this check entirely. Once present, it MUST verify.
Why it happens
- The body was modified in transit (a transparent proxy that re-encoded JSON, an HTTP client that renormalised whitespace).
- The timestamp is outside the ±5 min tolerance (clock skew).
- The signature was computed over the wrong input — common mistake: signing the URL instead of the path-only, or omitting the leading slash on
path. - The wrong secret was used (e.g., the
webhook_secretinstead of the API key plaintext).
How to fix
- Canonical input format:
${unixMillis}.${UPPERCASE_METHOD}.${pathWithLeadingSlash}.${rawBody}(raw body bytes, not re-serialised JSON). - Key the HMAC with the API key plaintext (the same value as
X-API-Key). - Header format:
X-Kash-Signature: t=<unixMillis>,v1=<hexHmacSha256>. - Sync your clock — NTP. If you’re consistently 6+ minutes off, fix the host clock.
- Check the
signatureReasonextension field on the problem response — it pinpoints which check failed (stale,mismatch,malformed).
apps/public-api/README.md § Optional request body signing for the full reference.
Related codes
API_KEY_MISSING/API_KEY_INVALID— earlier failure points