Singature
Signing the request
A signature is required in every request to prevent data from being tampered with. Each qualified API caller will be assigned a sign key by scanforpay.
Perform the following steps to sign the message:
- Connect the
requestfield in a request message and the sign key into a string. - Sign the string you get with SHA256.
If you implement by java, refer to DigestUtils in apach.commons-codec package.
Request structure is defined in Introduction,an example is as below:
String req = “{
\"header\":{
<request header>
},
\"body\":{
<request body>
}
}”
String signKey = "123456" //will be provided by scanforpay
String signature = DigestUtils.sha256Hex(req + signKey);
Verifying signature
After receiving a response, perform the following steps to verify the signature:
- Split the full response contents to 2 parts, the response JSON string and the signature string.
- Sign the (response JSON + sign key) with SHA256.
- Compare the two singatrure obtained in step 2 and step 1, if they are the same, then it indicates that the signed data has not been changed
Response structure is defined in Introduction, an example is as below:
String resp = “{
\"header\":{
<response header>
},
\"body\":{
<response body>
}
}”
String signKey = "123456" //will be provided by scanforpay
String signature = DigestUtils.sha256Hex(req + signKey);
//if(signature.equals(response.signature)){
//if equals, success
//}