Authentication [Deprecated]
If you have created API keys before 17 June 2020, use this Authentication method. If you have created API keys after 17 June 2020, refer Authentication [Stable].
Deprecated
If you have created API keys before 17 June 2020, use this Authentication method. If you have created API keys after 17 June 2020, refer Authentication [Stable].
Authorization header
All calls to the Open API require authentication. You will need to get an access_key and secret_key from the dashboard via the settings page. See Generating access_key and secret_key.
Signing requests
API Key authentication requires each request to be signed, this ensures that your secret key is not part of the transmission.
Making a request
All REST requests must contain the following headers:
| Header key | Description |
|---|---|
Authorization | Where your signed request information will be transmitted |
X-O-Timestamp | The timestamp of your request |
Request body | All request bodies should have a content type of application/json and be valid JSON. |
The Authorization header will have the format of
Authorization:Bearer ACCESS_KEY:REQUEST_SIGNATURE
The REQUEST_SIGNATURE is computed by creating a sha256 HMAC using the secret key on the prehash string made using the combination timestamp + method + body.
In case of a GET request, the prehash string should be made as timestamp + method .
//Generation of REQUEST_SIGNATURE for a POST Request
client_request_method = 'POST';
//Your request body
//Please note that below is a sample client body. It changes depending on the API which you are using
$client_body ='{"amount":"9.00","contact_number":"5119991919","email_id":"[email protected]","currency":"INR","mtx":"123456XYZ"}';
//Concatinating all together to make prehash string
$string = $client_timestamp_header.$client_request_method.$client_body;
//Use below line in case of GET requests
//$string = $client_timestamp_header.$client_request_method;
//IMPORTANT : Remove all whitespaces and newlines
$string = preg_replace('/\s+/', '', $string);
//Hash generation
$REQUEST_SIGNATURE = hash_hmac('sha256', $string, $secret_key);
Remove all white spaces and newlines from pre-hash string
There will be whitespaces and newline in a JSON body. Always remove all white spaces and newlines before hashing the string.
Field details for signature generation
| Field | Details |
|---|---|
timestamp | This is the same value as transmitted in the X-O-Timestamp header |
method | The request method in all upper case. Eg : POST |
body | The JSON body of the request. |
There are a lot of online hash generators available. Below is one javascript which you can use for a quick REQUEST_SIGNATURE generation ( Only for testing ).
Generate REQUEST_SIGNATURE from server side
Never share your API secret or expose it in the client-side. The API secret is similar to what a password is. Always generate REQUEST_SIGNATURE at the server-side. The above javascript example is ONLY for representational purpose and is not suppose to be used in production.
Updated over 2 years ago
Get started with our suite of Payment APIs