Authentication [Deprecated]

If you have created API keys before 17 June 2020, use this Authentication method. If you have created API keys after 17 June 2020, refer Authentication [Stable].

❗️

Deprecated

If you have created API keys before 17 June 2020, use this Authentication method. If you have created API keys after 17 June 2020, refer Authentication [Stable].

Authorization header

All calls to the Open API require authentication. You will need to get an access_key and secret_key from the dashboard via the settings page. See Generating access_key and secret_key.

Signing requests

API Key authentication requires each request to be signed, this ensures that your secret key is not part of the transmission.

Making a request

All REST requests must contain the following headers:

Header keyDescription
AuthorizationWhere your signed request information will be transmitted
X-O-TimestampThe timestamp of your request
Request bodyAll request bodies should have a content type of application/json and be valid JSON.

The Authorization header will have the format of
Authorization: ACCESS_KEY:REQUEST_SIGNATURE

The REQUEST_SIGNATURE is computed by creating a sha256 HMAC using the secret key on the prehash string made using the combination timestamp + method + body.

In case of a GET request, the prehash string should be made as timestamp + method .

//Generation of REQUEST_SIGNATURE for a POST Request

client_request_method = 'POST';

//Your request body
//Please note that below is a sample client body. It changes depending on the API which you are using 


$client_body ='{"amount":"9.00","contact_number":"5119991919","email_id":"[email protected]","currency":"INR","mtx":"123456XYZ"}';


//Concatinating all together to make prehash string
$string = $client_timestamp_header.$client_request_method.$client_body;

//Use below line in case of GET requests
//$string = $client_timestamp_header.$client_request_method;

//IMPORTANT : Remove all whitespaces and newlines
$string = preg_replace('/\s+/', '', $string);

//Hash generation
$REQUEST_SIGNATURE =  hash_hmac('sha256', $string, $secret_key);

❗️

Remove all white spaces and newlines from pre-hash string

There will be whitespaces and newline in a JSON body. Always remove all white spaces and newlines before hashing the string.

Field details for signature generation

FieldDetails
timestampThis is the same value as transmitted in the X-O-Timestamp header
methodThe request method in all upper case. Eg : POST
bodyThe JSON body of the request.

There are a lot of online hash generators available. Below is one javascript which you can use for a quick REQUEST_SIGNATURE generation ( Only for testing ).

❗️

Generate REQUEST_SIGNATURE from server side

Never share your API secret or expose it in the client-side. The API secret is similar to what a password is. Always generate REQUEST_SIGNATURE at the server-side. The above javascript example is ONLY for representational purpose and is not suppose to be used in production.


What’s Next

Get started with our suite of Payment APIs

Did this page help you?