Digital Signature

Redirect Forward Signature

To make sure the payment request comes from registered ESPAY merchant, merchant will sign the payload using RSA with SHA256 algorithm then ESPAY will verify the signature using public key from merchant.

Signature Elements:
Element Value
Private Key Generated by Merchant
Fields Combination uuid + merchant key + payment id + bank code + bank product + salt string
Steps:

An example to generate digital signature for Redirect Forward (in php):
Data example:

uuid : d1cc2fde-4f62-8a50-c0920e9c83de
merchant key : b9fa9537ea53ae6209a06d6e9ae204f0
payment id : ESPTRX21183111
bank code : 014
bank product : KLIKPAYBCA
Salt String : REDIRECTF


  • Step 1
  • Combine data parameters used in sequence, separated by double number sign "##"
    ##uuid##merchant key##payment id##bank code##bank product##salt##
    Result will be:
    ##d1cc2fde-4f62-8a50-c0920e9c83de##b9fa9537ea53ae6209a06d6e9ae204f0##ESPTRX21183111##014##KLIKPAYBCA##REDIRECTF##

  • Step 2
  • Compute signature using RSA with SHA256 algorithm
    $data = ##d1cc2fde-4f62-8a50-
    c0920e9c83de##b9fa9537ea53ae6209a06d6e9ae204f0##ESPTRX21183111##014##KLIKPAYBCA##REDIRECTF##
    $privateKey = openssl_pkey_get_private("file://path/to/key/private.pem");
    openssl_sign($data, $signature, $privateKey, OPENSSL_ALGO_SHA256);

  • Step 3
  • Encode result from Step 2 to base64:
    $signature = base64_encode($signature)
    Use the result from Step 3 as the value of signature field on ESPAY Redirect Forward form.

API Signature

Signature Elements
API Message Combination
Inquiry Merchant Info Request Signature Key + rq_uuid + rs_datetime + key + MERCHANTINFO
Response Signature Key + rq_uuid + rs_datetime + key + MERCHANTINFO-RS
Inquiry Transaction Request Signature Key + rq_uuid + rq_datetime + order_id + INQUIRY
Response Signature Key + rq_uuid + rs_datetime + order_id + error_code + INQUIRY-RS
Payment Report Request Signature Key + rq_uuid + rq_datetime + order_id + amount + PAYMENTREPORT
Response Signature Key + rq_uuid + rs_datetime + error_code + PAYMENTREPORT-RS
Check Payment Status Request Signature Key + rq_uuid + rq_datetime + comm_code + order_id + CHECKSTATUS
Response Signature Key + rq_uuid + rs_datetime + error_code + order_id + CHECKSTATUS-RS
Steps:

Here is an example to generate signature for Inquiry Merchant Info API:
Data example:

Signature Key : zwvqhkqqo4gvfwwk
datetime : 2020-08-13T04:20:43+0700
Key (Merchant Key) : bdbf207efa0f59e83e31bc3f5e2872fe
Salt string : MERCHANTINFO

  • Step 1
  • Combine all parameters used in sequence, separated by double number sign "##"
    ## Signature Key ## rq_datetime ## Merchant Key ## MERCHANTINFO ##
    So, the result will be:
    ##zwvqhkqqo4gvfwwk##2020-08-
    13T04:20:43+0700##bdbf207efa0f59e83e31bc3f5e2872fe##MERCHANTINFO##

  • Step 2
  • Uppercase result from Step 1:
    ##ZWVQHKQQO4GVFWWK##2020-08-
    13T04:20:43+0700##BDBF207EFA0F59E83E31BC3F5E2872FE##MERCHANTINFO##

  • Step 3
  • Hash result from Step 2 using sha256 method:
    hash = hash(“sha256”, ##ZWVQHKQQO4GVFWWK##2020-08-
    13T04:20:43+0700##BDBF207EFA0F59E83E31BC3F5E2872FE##MERCHANTINFO##)
    Result: 1c2acc38d8d5c15b3bb04fb05ebf47281dbe7c48714f9bc5362cd12ab8d57bcd
    Use the result from Step 3 as signature value.