Authentication

Signature

Signature used in the request header as X-SIGNATURE attribute is a method to make sure the request is valid from the verified host. There are two kind of signatures:

Asymmetric Signature

Asymmetric signature is used for features where the request is made by the merchant to Ifortepay, such as create payment, inquiry, etc.

Asymmetric signature without get token

Formula

SHA256withRSA is used to generate the signature with your Private Key as the key. The resulting signature should be encoded using Base64.

Signature = SHA256withRSA(privateKey, stringToSign)
stringToSign = HTTPMethod + ":" + EndpointUrl + ":" + Lowercase(HexEncode(SHA-256(minify(RequestBody)))) + ":" + X-TimeStamp

Components

1. privateKey
   The private key which you generate along with the public key. Make sure that you have sent the public key to Ifortepay . We will use the public key to validate the private key. We are using RSA 2048 bit as the public and private key. This is the example of private key:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDOfmGb5tlo2q+xg0OhaEg9yzREKYPhl70/6Cktfw6ljpLzyR/DZ9/qEP9J1wAMn+FSo/dXj7p82uerlnyeJRmS30R5dFLcTD6js3PwRPyTuu+JxmUHQgLagD2iT2aW0+E/QiSptcHA3cEe42G9GBizpGop3nGk585gw37qmCSbFHoYzp0qkABQvXUKPYs130nauTB2W0kg/Ylt2uJAmodgCTfTwyWP3DEtrRz9K+Ue9WEAg8U7M30unyYV76HIC3fdjPZ4SpxwM8yr9rGuvJhKErWnYk5T+yPrBdAgiwdeESsTm+fXpaBXx8dWKHmgRUF5QmE4udKIopIxN2dH9+qnAgMBAAECggEAWDE9Eh9l8rUX/dpgy7KkzBOaVpRemb67muxWjfJquIXsuIdJdCVMyoUI66oSgNHWI/wYu0KNNR8vfCcRQV/6DLMj5TWr4CAGTtdpqJBmSdg4z2C3LILighzsdgKwf7Gtzd07mGoi/vMXNNCLoX4FqtAJcalqYzKH/+bvMVXaqIqxMV/qrQ5LA/AQAoSGFuu8vQaQUeNadowOgq9Qs8t/ff6mrur2M5R2RAiMlYdMY0Yb42LTFVtHLFX0HU2WP4ItF3aoBj3e/8HL2sHJf6mAuY8Zd2pMgeh2AGMwgoA5Rn0hY7s3JqNuWgevNlnMUtx88oBNv2ayCYNLr6dGsn2zNQKBgQDaFaQJKAub6dSbymrCq0Z37R0YyjGiZly8RoOhWJW5WY/u8PfGJY0lN6YpqgteoNQ7+J0ZD8zqsrJr8nh5ZIX005V/WiknfsxUvnZd1P9SVcHd5Zfh+gtBnTkSvH5GggzMBo0auK0qvqldhLENk48J2G8+aFtqHK0aU478OGf9dQKBgQDyZNzKkyuBq+kZwnWadJWO28I1rSBCfqmXEkd+/0scmlXPe1fYLG9TAJjVAVFIgoYtuDXanZpcZf3Vx6SLS/+yR/cA6DdZm+62nRkMjJH+4D8geMkFIff4SHTvWVCdJagZS8jQGEG0cxNq7dwq9NaFx9Ih2gu0xAWzUv8PKzv4KwKBgCfvaI9ort+JLS6uHWiydoAFgpuEgxxLBFZRz07fauN7HBlUNPsq6zLSgvIEOnrElri4qQPq2cpsmLGdwCPynXkcubaNaxXZaU9nZUN/epW4MH0SywJNiHwmb0oYDEObEv7VgEdRZBx8t4TxhH6I89uIr65M69h9kdFNVdSn+5r1AoGBAInU1L/UI78ek/Pz4Y+sj4ama669/UQSZjjjSghq/rkLAZRznKXtzneyNTWaBDBpGAdTYjwntiioTkiLt4MF+iXUSh4X7bFku77XYfEC1dnKhdrfE995S1nBScz4SqCxUv7fWxcJVANaFEaPbsx2YK29zD03kcR+Wod3wFVNzlH1AoGBAJTtP4mA9swEc/6v6Opts+b5KUa54+yk5e06pS03J9Tz5cVnexIso7/u16P4ORZdLdRI91m4oboa/kchOY6LPF8Z91w2pe6UGC0rqjAmK4lWl7iydQDPxMAnFwowo40t26osPNMy4bFvqQz+kMYEedR2X+albeqe/XYlogc+/F3n
-----END PRIVATE KEY-----

2. publicKey
   This is the example of public key:
   

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzn5hm+bZaNqvsYNDoWhIPcs0RCmD4Ze9P+gpLX8OpY6S88kfw2ff6hD/SdcADJ/hUqP3V4+6fNrnq5Z8niUZkt9EeXRS3Ew+o7Nz8ET8k7rvicZlB0IC2oA9ok9mltPhP0IkqbXBwN3BHuNhvRgYs6RqKd5xpOfOYMN+6pgkmxR6GM6dKpAAUL11Cj2LNd9J2rkwdltJIP2JbdriQJqHYAk308Mlj9wxLa0c/SvlHvVhAIPFOzN9Lp8mFe+hyAt33Yz2eEqccDPMq/axrryYShK1p2JOU/sj6wXQIIsHXhErE5vn16WgV8fHVih5oEVBeUJhOLnSiKKSMTdnR/fqpwIDAQAB
-----END PUBLIC KEY-----

3. stringToSign
   A stringToSign is a pipe-symbol-separated string derived from some request data as below:

stringToSign = HTTPMethod + ":" + EndpointUrl + ":" + Lowercase(HexEncode(SHA-256(minify(RequestBody)))) + ":" + X-TimeStamp

Request Body
Request body from the endpoint that merchant would be used. Example :

{
	"partnerServiceId": "40416",
	"customerNo": "00001237899",
	"virtualAccountNo": "4041600001237899",
	"trxId": "test-1231",
	"additionalInfo": {
		...
	}
}

4. X-TIMESTAMP
   Timestamp of when request invoked. The timestamp format must follow ISO8601 format (yyyy-MM-ddTHH:mm:ssZ). E.g.: 2021-11-02T13:14:15+07:00

YYYY = four-digit year
MM = two-digit month (01 = January, etc.)
DD = two-digit day of month (01 through 31)
T = literal 'T' as date and time separator
hh = two digits of hour (00 through 23) (am/pm NOT allowed)
mm = two digits of minute (00 through 59)
ss = two digits of second (00 through 59)
Z = time zone designator (+hh:mm or –hh:mm)

5. HTTP Method
   Example: POST, GET, PUT, PATCH, DELETE etc..

6. Endpoint URL
   Example: /v1.0/transfer-va/create-va

Example signature:

Encoded Base64 =
aUlPgyYtvC1kPdlMAzrsKVQcyvAzAl7ymc1L8rZcm0qjrypweElxMS482rOrpHGnJEdMncuWRQmgbos5QN4YflG4wLaOpQh3k/VpPJAfPX7/VexMCtx7l9Bf6FV9z+d+ywV15gvbYKOlU8XaPdWgSwgVWrALOWb7q5wMjWyjD1ZqvkVPssIQy0CEf1qIwQ91eWrfrY6guKbKq7ZXdbDPGpBBejDg3GlWEDg0hiyaAEYPlYlBXbrcnBNL4iJzbesvUGrXNWGWxn3tinnfHwPQp9UAl1fGZvvcpCgVeFSITmyiQQxisQxzZ5uxxf8v1uCXAtnCtYBBUyU1EZrfMKCm1g==

Security

Secured Channel Communication

IFP Implemented Transport Layer Security (TLS) 1.3 as the baseline of security and also please provide your IP to us for whitelisting secured connections.