6. API Specifications: Payments Authentication and Security Management

All API requests must be made through HTTPS. The Velocity API header value format is as follows:

• Use HTTP basic authentication to authenticate the request. See Basic Authentication Method for details.
• Specify the auth-parameter, where the overall parameter value is provided in the form is x-cpm-sec-token.
• x-cpm-sec-token is a unique value that you generate for a unique request. Velocity uses this value to verify if a request is submitted multiple times.

To generate the x-cpm-sec-token, complete the following steps:

1. Extract the request/response body string.
2. Remove all space characters from the string including space, tabs, newline, and carriage return.
3. Append the salt to the body string.
   To append the salt, complete the following steps, as applicable to the authentication type:
   a. For basic authentication, make the salt as base64 (API username + API password).
   b. For bearer authentication, CPD provides the bearer token to be used as salt.
4. Calculate sha-256 (body + salt) of the string.
5. Set this hash string as the x-cpm-sec-token header in the request/response.

Note: Consider the following items:

• To generate the hash string, you can follow the same process at the receiver end.
• To validate the salt, compare the hash string with the x-cpm-sec-token from the header.

The following is an example of the parameters in the header section.