Symmetric in API Services is used for validating requests and endpoints of the Service Provider API called by the Converter. The Signature Service must always be created when calling any SNAP API.
Transactional API header consists of the following fields:
Request Header
| Field Name | Field Type | Field Description |
|---|---|---|
| Content-Type | String (Required) | Type of the content |
| Authorization | String (Required) | Represents access_token of a request; string starts with keyword “Bearer ” followed by access_token. Can get this token from Access Token B2B response. |
| X-TIMESTAMP | String (Required) | Using ISO 8601 as timestamp format. Transaction date time, in format YYYYMMDDTHH:mm:ss+07:00. Time must be in GMT+7 (Jakarta time). |
| X-SIGNATURE | String (Required) | Created using symmetric signature HMAC_SHA512 algorithm. Formulas: HMAC_SHA512 (clientSecret, stringToSign). stringToSign = HTTPMethod +”:“+ EndpointUrl +":"+ AccessToken+":“+ Lowercase(HexEncode(SHA256(minify (RequestBody))))+ ":“ +TimeStamp |
| X-PARTNER-ID | String (Required) | Unique ID for a partner (client_id). |
| X-EXTERNAL-ID | String (Required) | Merchant’s unique ID per transaction request. |
| CHANNEL-ID | String (Required) | PJP’s channel id. |
Steps to get the X-SIGNATURE Transactional API:
| No | Steps |
|---|---|
| 1 | Merchant Client Secret: ytMOJPatwtPilfsfykSBGplhxtxVSGpqaJaBRgAvzLXqzRrrUIYvaIujDpHYjxeU |
| 2 | Encrypt the string to sign: stringToSign = HTTPMethod +”:“+ EndpointUrl +":"+ AccessToken+":“+ Lowercase(HexEncode(SHA256(minify (RequestBody))))+ ":“ +TimeStamp stringToSign : POST:/ordersnap/api/v1.0/qr/qr-mpm-generate:ytMOJPatwtPilfsfykSBGplhxtxVSGpqaJaBRgAvzLXqzRrrUIYvaIujDpHYjxeU/I4WdeQx53UjiYMbWgPONMUXEDrHT4nfTRpehJ9C1mBhH1oivlF+TCx8xj9k2OlJy6AtCR00DR2kW+PvTE5zzx6zHkXR1BHSF61/0YY5aQDMQP2a09wKFWPUFf4RnGckwtP8rehVqw8A=:12f54e59ed57e9ee27a3811351b0e200dd43d96e27b920e7ae9ce384e5fe2d5f:2024-07-06T14:12:50+07:00 |
| 3 | By using merchant’s client secret to encrypt the value with HMAC_SHA512 algorithm, merchant will generate: GG7DfL893jQoRhuJ15FGBv6vxXNAkLYGwqKCOgcFh/a9ntHvvAm4QM7bWSSlyvqLoBI5kclqwoAoc57aKbKCwQ== |
| 4. | Put the signature string into HTTP Header “X-SIGNATURE“ from when call Transactional API. X-SIGNATURE = HMAC_SHA512 (clientSecret, stringToSign) |
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6It9pE72h1M4cdIEkoG0xSuNSJGptEMnlG2GgifWhWDpLDeGvcUh
X-TIMESTAMP: 2022-08-24 11:14:17
X-SIGNATURE: tmVw6o0TJRQCiEjuOdf6/jaX261ronRwMBNGzfoW7K2ERS52sFlVnaE2MtgDS/UpMtGSbIpC+gQv0j72HWb0iA==
X-PARTNER-ID: p00cb12g-w04q-42bb-l2de-e3enf4f487ce3
X-EXTERNAL-ID: 23456789012345
CHANNEL-ID: 98765