Security

How to make safe payment requests.

Signature

The signature should use SHA256 as HMAC hash function.

Header

Type

Description

Content-Type

string

application/json; charset=UTF-8

AppId

string

Your App ID in payout platform

Authorization

string

SHA256($sorted_params + $app_key)

Find $AppId, $app_key from the merchant dashboard.

Sign Method

  • Ascendingly, sorted request params, check examples below;

  • Concatenate sorted_params with app_key.

  • Use sha256(sorted_params + app_key) to get the Authorization.

When sorting parameters, strip the ones with no value.

Letters in Authorization need to be lower case.

Sign Coding Example

package com.pagsmile.ts;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

import java.util.Map;
import java.util.TreeMap;

public static String getSign(Map<String, String> params, String authKey) {
    String param = sortParam(params) + authKey;
    return sha256(param);
}

public static String sha256(String str) {
    String encodeStr = "";
    try {
        MessageDigest digest = MessageDigest.getInstance("SHA-256");
        byte[] encodedhash = digest.digest(str.getBytes(StandardCharsets.UTF_8));
        encodeStr = bytesToHex(encodedhash);
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException("algorithm not supported");
    }
    return encodeStr;
}

public static String sortParam(Map<String, String> params) {
    try {
        Map<String, String> map = new TreeMap<>(params);

        StringBuilder sb = new StringBuilder();
        for (String k : map.keySet()) {
            String v = map.get(k);
            if (v != null && v.length() > 0) {
                sb.append(k).append("=").append(v).append("&");
            }
        }

        if (sb.length() <= 0) {
            return "";
        }

        return sb.subSequence(0, sb.length() - 1).toString();
    } catch (Exception e) {
        e.printStackTrace();
    }
    return "";
}

private static String bytesToHex(byte[] hash) {
    StringBuilder hexString = new StringBuilder(2 * hash.length);
    for (int i = 0; i < hash.length; i++) {
        String hex = Integer.toHexString(0xff & hash[i]);
        if (hex.length() == 1) {
            hexString.append('0');
        }
        hexString.append(hex);
    }
    return hexString.toString();
}

Sign Example

Sample request:

{
	"account_digit": "4",
	"account_number": "1234567",
	"account_type": "CHECKING",
	"additional_remark": "1234567_test",
	"amount": "10.00",
	"bankcode": "001",
	"branch": "0001",
	"custom_code": "1234567",
	"document_id": "50284414727",
	"document_type": "CPF",
	"fee": "merchant",
	"name": "Test User Name",
	"notify_url": "https://www.pagsmile.com",
	"payout_currency": "BRL",
	"source_currency": "BRL"
}

Sorted parameter before hash:

account_digit=4&account_number=1234567&account_type=CHECKING&additional_remark=1234567_test&amount=10.00&bankcode=001&branch=0001&custom_code=1234567&document_id=50284414727&document_type=CPF&fee=merchant&name=Test User Name&notify_url=https://www.pagsmile.com&payout_currency=BRL&source_currency=BRL

Concatenate sorted_params with app_key (exmaple app key ABCDE) :

account_digit=4&account_number=1234567&account_type=CHECKING&additional_remark=1234567_test&amount=10.00&bankcode=001&branch=0001&custom_code=1234567&document_id=50284414727&document_type=CPF&fee=merchant&name=Test User Name&notify_url=https://www.pagsmile.com&payout_currency=BRL&source_currency=BRLABCDE

sha256 hash

b15f900705867ecc3f66088054c14a80f9f12b1fb31c82320c4cbfe181876abb

Last updated