1. Ensure that the values of API key, API secret, token, timestamp, nonce and data used in calculating HMAC match the corresponding values used in the HTTP headers.
  2. Ensure that the correct hashing algorithm is used.
  3. Ensure that the API key, API secret and merchant token are correctly entered without leading or trailing spaces.
  4. Ensure that the timestamp in the HTTP headers is in milliseconds and represents epoch time calculated from UTC time.
  5. Ensure that the timestamp in the HTTP header is within 5 minutes of our server time. This depends on your server time.

Sample code for generating HMAC is available in the "Docs and Sandbox" page and in Direct API repositories