To ensure that all interactions with the payment platform are secure, all data that is transmitted from the merchant’s web service to the platform must be authenticated with the
signature parameter. A signature is a string generated from a set of data to be signed with the use of a secret key and an encryption algorithm, and it must be included in all requests. Signatures are also used in callbacks and certain responses (with the exception of responses that contain general information without the payment or customer details).
The signature string is generated as follows:
- The data to sign is validated: it must conform to the JSON format and must not contain a
signatureparameter even if this parameter is empty.
- The parameters that are included in the request body and their values are sequentially connected to the strings according to the nesting level. For the parameters in arrays, specify their index numbers directly. The separator is a colon (‘:‘). The resulting rows are sorted alphabetically and combined into a single line. The separator is a semicolon (‘;‘).
- For the resulting string, the HMAC is calculated based on the SHA-512 hash function and the secret key provided by ECommPay. HMAC should be output as raw binary data.
- The result is encoded using the Base64 scheme.
- The result is passed as a value of the
signatureparameter that is added to the request body in the appropriate place according to the specification.
For more information and interactive forms to test using signatures, see Signature generation and verification.