Skip to main content

Status and error codes

Order statuses (data.status): CONFIRMED, PARTIALLY_CANCELLED, CANCELLED, DECLINED.
HTTPMeaning
200applied (or a safe retry) — the body has the current order state
401auth failed — missing header, expired timestamp, bad signature, or inactive key
422invalid data or an illegal change (e.g. a refund larger than the order, a confirm after cancel)
409write collision — retry with the same event_id
429too many requests — slow down and retry

Ready-to-paste signing helpers

Each of these computes the signature exactly as our server checks it. The one rule they all follow: serialize the body once, sign that exact string, send those exact bytes.
<?php
function signAndPost(string $base, string $apiKey, string $secret, string $path, array $payload): array
{
    $ts   = (string) time();
    $body = json_encode($payload, JSON_UNESCAPED_UNICODE); // serialize ONCE
    $sig  = hash_hmac('sha256', $ts . $body, $secret);

    $ch = curl_init($base . $path);
    curl_setopt_array($ch, [
        CURLOPT_POST           => true,
        CURLOPT_POSTFIELDS     => $body,   // the SAME bytes we signed
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER     => [
            'Content-Type: application/json',
            'X-Merchant-Key: ' . $apiKey,
            'X-Signature-Timestamp: ' . $ts,
            'X-Signature: ' . $sig,
        ],
    ]);
    $res  = curl_exec($ch);
    $code = curl_getinfo($ch, CURLINFO_RESPONSE_CODE);
    curl_close($ch);

    return ['status' => $code, 'body' => json_decode($res, true)];
}

$out = signAndPost('https://realry.com/api/v1/direct', 'mk_your_key', 'your_hmac_secret',
    '/conversions', [
        'merchant_order_id' => 'order-1',
        'event_id'          => 'evt-1',
        'amount'            => 49900,
        'currency'          => 'KRW',
        'cb_aev'            => $clickId,
        'product_name'      => 'Silk Blouse',
    ]);
Stuck on a 401 invalid_signature? It almost always means the bytes you signed differ from the bytes you sent — usually the body got re-encoded or its keys reordered after signing. Build the body once, sign it, send it unchanged.

Questions? Reach out to your Realry partner contact. Always test with a sandbox key first, then ask us to issue your live credential.