Singature

Signing the request

A signature is required in every request to prevent data from being tampered with. Each qualified API caller will be assigned a sign key by scanforpay.

Perform the following steps to sign the message:

  1. Connect the request field in a request message and the sign key into a string.
  2. Sign the string you get with SHA256.

If you implement by java, refer to DigestUtils in apach.commons-codec package.

Request structure is defined in Introduction,an example is as below:

    String req = “{
        \"header\":{
            <request header>
        },
        \"body\":{
            <request body>
        }
    }”
    String signKey = "123456" //will be provided by scanforpay
    String signature  =  DigestUtils.sha256Hex(req + signKey);

Verifying signature

After receiving a response, perform the following steps to verify the signature:

  1. Split the full response contents to 2 parts, the response JSON string and the signature string.
  2. Sign the (response JSON + sign key) with SHA256.
  3. Compare the two singatrure obtained in step 2 and step 1, if they are the same, then it indicates that the signed data has not been changed

Response structure is defined in Introduction, an example is as below:

    String resp = “{
        \"header\":{
            <response header>
        },
        \"body\":{
            <response body>
        }
    }”
    String signKey = "123456" //will be provided by scanforpay
    String signature  =  DigestUtils.sha256Hex(req + signKey);
    //if(signature.equals(response.signature)){
        //if equals, success
    //}

results matching ""

    No results matching ""