# Parent Platforms

Create your HMAC Secret and `POST` to Branta:

## Adding payments

> Adds a new payment to Branta. Expires after ttl seconds.\
> \
> \*\*HMAC Authentication:\*\* When the API key has a parent platform, HMAC validation is required. The HMAC signature is computed as follows:\
> 1\. Create a message string: \`{METHOD}|{URL}|{BODY}|{TIMESTAMP}\`\
> 2\. Generate HMAC-SHA256 signature using the parent platform's API secret\
> 3\. Include the signature in the \`X-HMAC-Signature\` header\
> 4\. Include the timestamp in the \`X-HMAC-Timestamp\` header\
> \
> The timestamp must be within 30 minutes of the current time to prevent replay attacks.

```json
{"openapi":"3.0.0","info":{"title":"Branta API","version":"1"},"servers":[{"url":"https://staging.branta.pro/v1","description":"Staging is meant for pre-production workflows"}],"paths":{"/payments":{"post":{"summary":"Adding payments","description":"Adds a new payment to Branta. Expires after ttl seconds.\n\n**HMAC Authentication:** When the API key has a parent platform, HMAC validation is required. The HMAC signature is computed as follows:\n1. Create a message string: `{METHOD}|{URL}|{BODY}|{TIMESTAMP}`\n2. Generate HMAC-SHA256 signature using the parent platform's API secret\n3. Include the signature in the `X-HMAC-Signature` header\n4. Include the timestamp in the `X-HMAC-Timestamp` header\n\nThe timestamp must be within 30 minutes of the current time to prevent replay attacks.","parameters":[{"in":"header","name":"Authorization","required":true,"schema":{"type":"string"},"description":"`Authorization` header with Bearer token is required to authorize the request. Format: `Bearer {your_api_key}`. This API key is unique to each client and must be included in the header of every request. Failure to provide a valid API key will result in an unauthorized error.\n\nKeep your API key confidential."},{"in":"header","name":"X-HMAC-Timestamp","required":true,"schema":{"type":"string","format":"int64"},"description":"Unix timestamp in seconds. Must be within 30 minutes of the current time to prevent replay attacks."},{"in":"header","name":"X-HMAC-Signature","required":true,"schema":{"type":"string"},"description":"HMAC-SHA256 signature of the request. The signature is computed using the parent platform's API secret and includes the HTTP method, URL, request body, and timestamp."}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PaymentRequest"}}}},"responses":{"201":{"description":"Payment created successfully"},"401":{"description":"Unauthorized - Invalid API key or HMAC validation failed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Unauthorized"}}}},"422":{"description":"Unprocessable Content","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnprocessableContent"}}}}}}}},"components":{"schemas":{"PaymentRequest":{"type":"object","properties":{"payment":{"type":"object","properties":{"payment":{"type":"string","description":"The Bitcoin or Lightning payment address."},"ttl":{"type":"integer","description":"Branta will remove the payment after ttl seconds."},"metadata":{"type":"string","description":"Optional stringified JSON to show the user."},"alt_payments":{"type":"array","items":{"type":"string"},"description":"Additional valid addresses for this checkout."}},"required":["payment","ttl"]}},"required":["payment"]},"Unauthorized":{"type":"object","properties":{"error":{"type":"string"}}},"UnprocessableContent":{"type":"object","properties":{"payment":{"type":"string"},"ttl":{"type":"string"}}}}}}
```