API Specifications: Payments Authentication and Security Management
6. API Specifications: Payments Authentication and Security Management
All API requests must be made through HTTPS. The Velocity API header value format is as follows:
- Use HTTP basic authentication to authenticate the request. See Basic Authentication Method for details.
- Specify the auth-parameter, where the overall parameter value is provided in the form is x-cpm-sec-token.
- x-cpm-sec-token is a unique value that you generate for a unique request. Velocity uses this value to verify if a request is submitted multiple times.
To generate the x-cpm-sec-token, complete the following steps:
- Extract the request/response body string.
- Remove all space characters from the string including space, tabs, newline, and carriage return.
- Append the salt to the body string.
To append the salt, complete the following steps, as applicable to the authentication type:
a. For basic authentication, make the salt as base64 (API username + API password).
b. For bearer authentication, CPD provides the bearer token to be used as salt. - Calculate sha-256 (body + salt) of the string.
- Set this hash string as the x-cpm-sec-token header in the request/response.
Note: Consider the following items:
- To generate the hash string, you can follow the same process at the receiver end.
- To validate the salt, compare the hash string with the x-cpm-sec-token from the header.
The following is an example of the parameters in the header section.
| Authentication | Basic |
|---|---|
| x-cpm-sec-token | 6lutO0jd0h1YjlHqjAn6cjKYF5n2ZJjp%2fDNk08IGKS0%3d |
Updated about 1 year ago