Signature Algorithm
- Signature algorithm is used to sign your payment API request with a private key to obtain additional security.
- Data object needs to be sorted, Nested object also needs to be sorted.
Step 1 : Prepare a Request Parameter
Method :
POST
- Refer to which API endpoint you are calling, below request parameter is just an EXAMPLE.
Example of Create Payment URL
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
order |
Object | Yes | Order information, with keys of [id, title, amount, currencyType, additionalData] | |
customer |
Object | Yes | Customer information, with keys of [name, phone, email] | |
method |
String | No | List of Type, please refer to Deposit / Payment - Financial Process Exchange (FPX). If this is given, user will be redirected straight to the specific 3rd party payment page. If not, user will be redirected to Payment page to select the Payment Method. |
Order [Object]
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
title |
String | Yes | Order title, max: 32 | "Deposit" |
additionalData |
String | No | Order description | |
amount |
String | Yes | Amount of order in Dollar. 100 = RM 100.00 | 100 |
currencyType |
String | Yes | Currency notation (currently only support MYR , USDT) | "MYR" |
id |
String | Yes | ID of the Order |
Customer [Object]
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
name |
String | Yes | Customer Name | "Long Wan" |
email |
String | Yes | Customer Email | "" |
phone |
String | Yes | Customer Phone Number | "" |
Example Request
{
"order": {
"id": "A20221111",
"title": "Payment",
"amount": "88.50",
"currencyType": "MYR",
"additionalData": ""
},
"customer": {
"name": "Long Wan",
"phone": "0123456789",
"email": "longwan@gmail.com"
},
"method": "CIMB_MY"
}
- Sort the above json key alphabetically and make it compact.
Step 2 : Encode the data using Base64 format
ewogICAgIm9yZGVyIjogewogICAgCSJ0aXRsZSI6ICJoZWxsbyIsCiAgICAJImRldGFpbCI6ICIiLAogICAgCSJhZGRpdGlvbmFsRGF0YSI6ICJ3b3JsZCIsCgkgICAgImFtb3VudCI6IDEwLAoJICAgICJjdXJyZW5jeVR5cGUiOiAiTVlSIiwKCSAgICAiaWQiOiAgIjcyMTEiCiAgICB9LAogICAgImN1c3RvbWVyIjogewogICAgInVzZXJJZCI6ICIiLAogICAgImVtYWlsIjogIiIKfSwKICAgICJtZXRob2QiOltdLAogICAgInR5cGUiOiAiV0VCX1BBWU1FTlQiLAogICAgInN0b3JlSWQiOiAiMTYwODEyMzAzNTU2NDUzODEyMSIsCiAgICAicmVkaXJlY3RVcmwiOiAiaHR0cHM6Ly9yZXZlbnVlbW9uc3Rlci5teSIsCiAgICAibm90aWZ5VXJsIjogImh0dHBzOi8vZGV2LXJtLWFwaS5hcC5uZ3Jvay5pbyIsCiAgICAibGF5b3V0VmVyc2lvbiI6InYzIgp9
Step 3: Construct plain text parameters
- If the body is empty then the data parameter can be skipped.
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
data |
String | Yes | Base64 data body from Step 2. | Refer to Step 2. |
method |
String | Yes | HTTP call method used | "post" |
nonceStr |
String | Yes | Random String | "VYNknZohxwicZMaWbNdBKUrnrxDtaRhN" |
requestURL |
String | Yes | API URL that you call must be exactly the same, together with URL. | gateway/v1/createPayment |
signType |
String | Yes | Sign Type, prefer SHA-256 | "sha256" |
timestamp |
String | Yes | UNIX timestamp of request | "1527407052" |
Example
data=ewogICAgIm9yZGVyIjogewogICAgCSJ0aXRsZSI6ICJoZWxsbyIsCiAgICAJImRldGFpbCI6ICIiLAogICAgCSJhZGRpdGlvbmFsRGF0YSI6ICJ3b3JsZCIsCgkgICAgImFtb3VudCI6IDEwLAoJICAgICJjdXJyZW5jeVR5cGUiOiAiTVlSIiwKCSAgICAiaWQiOiAgIjcyMTEiCiAgICB9LAogICAgImN1c3RvbWVyIjogewogICAgInVzZXJJZCI6ICIiLAogICAgImVtYWlsIjogIiIKfSwKICAgICJtZXRob2QiOltdLAogICAgInR5cGUiOiAiV0VCX1BBWU1FTlQiLAogICAgInN0b3JlSWQiOiAiMTYwODEyMzAzNTU2NDUzODEyMSIsCiAgICAicmVkaXJlY3RVcmwiOiAiaHR0cHM6Ly9yZXZlbnVlbW9uc3Rlci5teSIsCiAgICAibm90aWZ5VXJsIjogImh0dHBzOi8vZGV2LXJtLWFwaS5hcC5uZ3Jvay5pbyIsCiAgICAibGF5b3V0VmVyc2lvbiI6InYzIgp9&method=post&nonceStr=VYNknZohxwicZMaWbNdBKUrnrxDtaRhN&requestUrl=gateway/v1/createPayment&signType=sha256×tamp=1527407052
Step 4: Sign with CLIENT PRIVATE KEY
- Sign this content using
sha256with private key and make sure the public key has been uploaded to SUPERPAY Merchant Portal
| Type | Required | Description | Example |
|---|---|---|---|
| String | Yes | Sign the request data in Step 3 using PRIVATE_KEY | Response show as below |
Example of Signature
sha256 IrBg6t73VsH7ieEnQDB4CXHFjMWUkp8Dtddpxqw+4Gvz6Tag7Dx6nrfAt2ofYK8xZN9aBCvAKAfmAOGWIXnsTXfhFBnMA2kadiga7ufUJ81ozyhllbiliRM2ugw1OcqSTLRHWBPhrVwhHBxgDiG9wbuI3FKURrz+CufYYakFoCw=
Step 5: Place into Request Header
Put this Signature into header under X-Signature, construct the request and call API endpoint