Appearance
Authentication
1. Signature
Signature used in the request header as X-SIGNATURE attribute is a method to make sure the request is valid from the verified host.
⚠️ Important Integration Guidelines:
- The Asymmetric and Symmetric signature methods detailed below are strictly used for validating API product services. The signature methods cannot be used for the API access token B2B generation request. If you are looking for the signature requirements to request an API access token B2B, please navigate to the Access Token B2B menu for the specific signature details.
- There are two types of signatures used in this system: Asymmetric and Symmetric. However, for the Disbursement product services, you must use the Symmetric signature method to call the API. Asymmetric signatures without a token are not supported for disbursement features.
1.1. Asymmetric signature without get token
Formula
SHA256withRSA is used to generate the signature with your client Secret as the key. The resulting signature should be encoded using Base64.
js
Signature = SHA256withRSA(clientSecret, stringToSign)
stringToSign = HTTPMethod + ":" + EndpointUrl + ":" + Lowercase(HexEncode(SHA-256(minify(RequestBody)))) + ":" + X-TimeStampComponents
clientSecret
AclientSecretis encryption keys. Format value is alphanumeric+symbol allow(!@#$%^). Client Secret is a secret code created by Merchant as validation of the Signature. Merchant required to send Client Secret to Ifortepay during the merchant onboarding process. Example client secret:
example
clientSecret = o7sWnn0oGXF7y7JBGf18!stringToSign
AstringToSignis a pipe-symbol-separated string derived from some request data as below:
js
stringToSign = HTTPMethod + ":" + EndpointUrl + ":" + Lowercase(HexEncode(SHA-256(minify(RequestBody)))) + ":" + X-TimeStampRequest Body
Request body from the endpoint that merchant would be used. Example :
json
{
"partnerServiceId": "40416",
"customerNo": "00001237899",
"virtualAccountNo": "4041600001237899",
"trxId": "test-1231",
"additionalInfo": {
...
}
}X-TIMESTAMP
Timestamp of when request invoked. The timestamp format must follow ISO8601 format(yyyy-MM-ddTHH:mm:ssZ). E.g.:2021-11-02T13:14:15+07:00
shell
YYYY = four-digit year
MM = two-digit month (01 = January, etc.)
DD = two-digit day of month (01 through 31)
T = literal 'T' as date and time separator
hh = two digits of hour (00 through 23) (am/pm NOT allowed)
mm = two digits of minute (00 through 59)
ss = two digits of second (00 through 59)
Z = time zone designator (+hh:mm or –hh:mm)HTTP Method
Example:POST, GET, PUT, PATCH, DELETEetc..Endpoint URL
Example:/v1.0/transfer-va/create-va
Example signature:
Encoded Base64 =
aUlPgyYtvC1kPdlMAzrsKVQcyvAzAl7ymc1L8rZcm0qjrypweElxMS482rOrpHGnJEdMncuWRQmgbos5QN4YflG4wLaOpQh3k/VpPJAfPX7/VexMCtx7l9Bf6FV9z+d+ywV15gvbYKOlU8XaPdWgSwgVWrALOWb7q5wMjWyjD1ZqvkVPssIQy0CEf1qIwQ91eWrfrY6guKbKq7ZXdbDPGpBBejDg3GlWEDg0hiyaAEYPlYlBXbrcnBNL4iJzbesvUGrXNWGWxn3tinnfHwPQp9UAl1fGZvvcpCgVeFSITmyiQQxisQxzZ5uxxf8v1uCXAtnCtYBBUyU1EZrfMKCm1g==1.2. Symmetric signature with get access token
Symmetric-Signature :
HMAC_SHA512 (clientSecret, stringToSign) with formula stringToSign = HTTPMethod +”:“+ EndpointUrl +":"+ AccessToken +":“+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ + TimeStampThe symmetric signature is generated using the B2B Access Token.
1.3. List of features signature compability
| Type | Feature | Asymmetric Signature Without Get Token | Symmetric Signature With Get Access Token |
|---|---|---|---|
| VIRTUAL_ACCOUNT | create-va | v | v |
| VIRTUAL_ACCOUNT | inquiry-va | v | v |
| VIRTUAL_ACCOUNT | delete-va | v | v |
| WALLET | qr-mpm-generate | v | v |
| WALLET | qr-mpm-query | v | v |
| WALLET | qr-mpm-cancel | v | v |
| DIRECT_DEBIT | registration-card-bind | v | v |
| DIRECT_DEBIT | otp-verification | v | v |
| DIRECT_DEBIT | registration-card-unbind | v | v |
| DIRECT_DEBIT | registration-account-binding | x | v |
| DIRECT_DEBIT | b2b2c | v | x |
| DIRECT_DEBIT | registration-account-unbinding | x | v |
| DIRECT_DEBIT | balance-inquiry | x | v |
| DIRECT_DEBIT | payment-host-to-host | v | v |
| DIRECT_DEBIT | status | v | v |
| DIRECT_DEBIT | cancel | v | v |
| BNPL | payment-calculation | v | v |
| BNPL | generate-checkout-url | v | v |
| BNPL | qr-checkout | v | v |
| BNPL | check-transaction-status | v | v |
| DISBURSEMENT | balance-inquiry | x | v |
| DISBURSEMENT | account-inquiry-external | x | v |
| DISBURSEMENT | transfer-interbank | x | v |
| DISBURSEMENT | transaction-history-detail | x | v |
| DISBURSEMENT | transaction-history-list | x | v |
| DISBURSEMENT | profile | x | v |
| DISBURSEMENT | countries | x | v |
| DISBURSEMENT | cities | x | v |
2. Security
Secured Channel Communication
IFP Implemented Transport Layer Security (TLS) 1.3 as the baseline of security and also please provide your IP to us for whitelisting secured connections.