Signature Service consists of the following fields:
| Field Name | Field Type | Mandatory | Field Description |
|---|---|---|---|
| Content-type | String | M | Media type of the resource, i.e. application/json |
| X-TIMESTAMP | String | M | Client’s current local time in ISO-8601 format |
| X-SIGNATURE | String | M | Created using symmetric signature HMAC_SHA512 algorithm |
| Authorization | String | M | Represents access_token of a request, received from Access Token API response |
| X-PARTNER-ID | String | M | Merchant’s partner ID |
| X-EXTERNAL-ID | String | M | Merchant’s unique ID per transaction request |
| CHANNEL-ID | String | M | PJP’s channel id. |
| X-DEVICE-ID | String | M | Device identification on which the API services are currently being accessed by the end user (customer). Sample: Web Application: Mozilla / 5.0(Windows NT 10.0; Win64; x64)AppleWebKit / 537.36(KHTML, like Gecko)Chrome / 75.0.3770.100 Safari / 537.36 OPR / 62.0.3331.99 Mobile Application: Android: android-20013adf6cdd8123f iOS: 72635bdfd223yvjm7246nsdj34hd4559393kjh42 |
| Content-type | application/json |
| X-TIMESTAMP | 2020-01-01T00:00:00+07:00 |
| X-SIGNATURE | da1fa417c72d6b91c257e01e54fac824 |
| Authorization | Bearer gp9HjjEj813Y9JGoqwOeOPWbnt4CupvIJbU1Mmu4a11MNDZ7Sg5u9a |
| X-PARTNER-ID | BMRI |
| X-EXTERNAL-ID | 12345678901234567890 |
| CHANNEL-ID | 12345 |
| X-DEVICE-ID | 0987ADCASA |
Symmetric Signature HMAC_SHA512
Based on the specification above, merchant should use symmetric signature HMAC_SHA512 for Transactional API.
Merchant should use this formula to create X-SIGNATURE for Transactional API:
HTTPMethod +”:“+ EndpointUrl +":"+ AccessToken +":“+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ + TimeStamp encrypted with merchant’s client secret by using HMAC_SHA512 algorithm.
1529627511dee28c3daa9a4d89f19540d71dbfaee506380288fd011f2961f88297a387ecdab1da1ac14d518d0df2dd2b3e566ce2200700e0839259c271cc2e27
| No | Steps |
|---|---|
| 1 | Given merchant has client secret fdppqbF5wq7vVegyvsV1CROMv646nJ7A |
| 2 | Given merchant wants to create a request with header for POSTContent-type:application/json X-TIMESTAMP:2020-01-01T00:00:00+07:00Authorization: Bearer gp9HjjEj813Y9JGoqwOeOPWbnt4CupvIJbU1Mmu4a11MNDZ7Sg5u9a X-PARTNER-ID: BMRI X-DEVICE-ID: 0987ADCASA X-EXTERNAL-ID:12345678901234567890 CHANNEL-ID:12345 |
| 3 | X-SIGNATURE value for encryption will be:POST:/v1.0/debit/payment-host-to-host:gp9HjjEj813Y9JGoqwOeOPWbnt4CupvIJbU1Mmu4a11MNDZ7Sg5u9a:56fa5f4999ad8014de49d7898c1d1d53472569db8999de3c1b752a0dd181e98c:2020-01-01T00:00:00+07:00*same value as HTTPMethod +”:“+ EndpointUrl +":"+ AccessToken +":“+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ + TimeStamp |
| 4 | By using merchant’s client secret to encrypt the value with HMAC_SHA512 algorithm, merchant will generateFSlidRHe4ow9qppNifGVQNcdv67lBjgCiP0BHylh+IKXo4fs2rHaGsFNUY0N8t0rPlZs4iAHAOCDklnCccwuJw== |
| 5 | Final result of merchant's header will be:Content-type:application/json X-TIMESTAMP:2020-01-01T00:00:00+07:00 Authorization: Bearer gp9HjjEj813Y9JGoqwOeOPWbnt4CupvIJbU1Mmu4a11MNDZ7Sg5u9a X-PARTNER-ID: BMRI X-DEVICE-ID: 0987ADCASA X-EXTERNAL-ID:12345678901234567890 CHANNEL-ID:12345 X-SIGNATURE: FSlidRHe4ow9qppNifGVQNcdv67lBjgCiP0BHylh+IKXo4fs2rHaGsFNUY0N8t0rPlZs4iAHAOCDklnCccwuJw== |