Try the following 3 actions:
1. If SDK is not used, use this example value to create HMAC Auth header and ceck if it has the same value as that of the sample HMAC Auth header. The header data when sending the request must use the same string that was used to generate the HMAC Auth header.
2. Check if merchantId is set upon request. How to set is shown here when SDK is used, and here when SDK is not used.
3. Check if Epoch set on HMAC header indicates the current date and time. Its difference from the current date and time for 2 minutes or more will result in an error. Check the setting of date and time because a server time may be set. Also check if the setting is in seconds.