API Docs

Appearance

Payment Notify (Callback)

Symmetric Signature

We added X-SIGNATURE using Symmetric Signature in the callback header to ensure the callback request comes from the Ifortepay server. We encourage every merchant to always check the validity of the signature for each callback request before processing it.

Overview

Using HMAC-512 encryption to generate a signature with your client secret as the key. The resulting signature must be encoded using Base64.

Formula

shell
Signature = HMAC_512(clientSecret, stringToSign)

Components

  • clientSecret
    Client Secret is a secret code created by Merchant as validation of the Symmetric Signature. Merchant required to send Client Secret to Ifortepay during the merchant onboarding process.

  • stringToSign
    stringToSign is created from combining several data separated by a colon ":", here is the details:

shell
stringToSign = Partner notify URL + ":" + X-VERSION +
               ":" + Lowercase(HexEncode(SHA-256(minify(RequestBody)))) +
               ":" + X-TIMESTAMP

Example of generated stringToSign: 

https://merchant.com/callback:v1:45a5f699b2eb0b16453a347a933c8fde551a33d3a02c9c395c3fc615a504dcb5:2022-12-13T09:00:00+07:00

  • Partner payment notify URL
    The complete notify URL of merchants registered with Ifortepay, which is used to receive callback data from Ifortepay.

  • X-VERSION
    The API Callback version placed in the request headers, the default value is v1.

  • Request Body/payload
    The API body of each request must be hashed with SHA-256 encoding in binary format. Make sure the RequestBody is the same as the RequestBody used to create the signature. Before encoding with hased SHA-256, change the RequestBody to MinifyJSON format (no spaces, except for json keys or values). If there is no RequestBody, then fill it with an empty string.

  • X-Timestamp
    Timestamp of when request invoked. The timestamp format must follow ISO8601 format (yyyy-MM-ddTHH:mm:ssZ). E.g.: 2021-11-02T13:14:15+07:00

shell
YYYY = four-digit year
MM = two-digit month (01 = January, etc.)
DD = two-digit day of month (01 through 31)
T = literal 'T' as date and time separator
hh = two digits of hour (00 through 23) (am/pm NOT allowed)
mm = two digits of minute (00 through 59)
ss = two digits of second (00 through 59)
Z = time zone designator (+hh:mm or –hh:mm)

iFortepay API Documentation

Copyright © 2024 PT. iForte Payment Infrastructure