Digital Signature
Redirect Forward Signature
To make sure the payment request comes from registered ESPAY merchant, merchant will sign the payload using RSA with SHA256 algorithm then ESPAY will verify the signature using public key from merchant.
Signature Elements:
Element | Value |
Private Key | Generated by Merchant |
Fields Combination | uuid + merchant key + payment id + bank code + bank product + salt string |
Steps:
An example to generate digital signature for Redirect Forward (in php):
Data example:
uuid : d1cc2fde-4f62-8a50-c0920e9c83de
merchant key : b9fa9537ea53ae6209a06d6e9ae204f0
payment id : ESPTRX21183111
bank code : 014
bank product : KLIKPAYBCA
Salt String : REDIRECTF
- Step 1
- Step 2
- Step 3
Combine data parameters used in sequence, separated by double number sign "##"
##uuid##merchant key##payment id##bank code##bank product##salt##
Result will be:
##d1cc2fde-4f62-8a50-c0920e9c83de##b9fa9537ea53ae6209a06d6e9ae204f0##ESPTRX21183111##014##KLIKPAYBCA##REDIRECTF##
Compute signature using RSA with SHA256 algorithm
$data = ##d1cc2fde-4f62-8a50-
c0920e9c83de##b9fa9537ea53ae6209a06d6e9ae204f0##ESPTRX21183111##014##KLIKPAYBCA##REDIRECTF##
$privateKey = openssl_pkey_get_private("file://path/to/key/private.pem");
openssl_sign($data, $signature, $privateKey, OPENSSL_ALGO_SHA256);
Encode result from Step 2 to base64:
$signature = base64_encode($signature)
Use the result from Step 3 as the value of signature field on ESPAY Redirect Forward form.
API Signature
Signature Elements
API | Message | Combination |
Inquiry Transaction | Request | Signature Key + rq_datetime + order_id + INQUIRY |
Response | Signature Key + rq_uuid + rs_datetime + order_id + error_code + INQUIRY-RS | |
Payment Report / Payment Notification | Request | Signature Key + rq_datetime + order_id + PAYMENTREPORT |
Response | Signature Key + rq_uuid + rs_datetime + error_code + PAYMENTREPORT-RS | |
Check Payment Status | Request | Signature Key + rq_datetime + order_id + CHECKSTATUS |
Steps:
Here is an example to generate signature for Inquiry Merchant Info API:
Data example:
Signature Key : zwvqhkqqo4gvfwwk
datetime : 2020-08-13T04:20:43+0700
Key (Merchant Key) : bdbf207efa0f59e83e31bc3f5e2872fe
Salt string : MERCHANTINFO
- Step 1
- Step 2
- Step 3
Combine all parameters used in sequence, separated by double number sign "##"
## Signature Key ## rq_datetime ## Merchant Key ## MERCHANTINFO ##
So, the result will be:
##zwvqhkqqo4gvfwwk##2020-08-
13T04:20:43+0700##bdbf207efa0f59e83e31bc3f5e2872fe##MERCHANTINFO##
Uppercase result from Step 1:
##ZWVQHKQQO4GVFWWK##2020-08-
13T04:20:43+0700##BDBF207EFA0F59E83E31BC3F5E2872FE##MERCHANTINFO##
Hash result from Step 2 using sha256 method:
hash = hash(“sha256”, ##ZWVQHKQQO4GVFWWK##2020-08-
13T04:20:43+0700##BDBF207EFA0F59E83E31BC3F5E2872FE##MERCHANTINFO##)
Result: 1c2acc38d8d5c15b3bb04fb05ebf47281dbe7c48714f9bc5362cd12ab8d57bcd
Use the result from Step 3 as signature value.