Open API Authentication Method

OpenAPI

The following is a list of supported Open APIs:

openApi

All Open APIs mentioned in this document must go through the signature process, Send below parameters in HTTP Header

appKey
appkey from Merchant

appKey

appKey generate from merchant backup system

timestamp

Time(milliseconds)

signToken

Signature

Process

  1. Key management generates app_key and app_secret, which are stored in the pay_merchant_secret table on the server and exposed to the merchant.

  2. Merchants use appKey:secret_key123 in the request header for querying interface calls.

  3. For create, update, and delete operations, in addition to appKey, the merchant needs to sign with their private key and include a timestamp in the header (such as signToken:sign123, timestamp=1704643200000(ms)).

Use OpenSSL to generate RSA keys

signToken Generation Rule

  1. The merchant concatenates the pending signature string with the content: timestamp (in ms)_URI_param.

  2. Use the private key to sign the above pending signature string (private key generation method) to generate the signToken.

Concatenation Explanation

  1. The URI is the Path part, for example, /service-pay/sellerApi/getMerchantByUsername

  2. Concatenate the parameters and their values into a string, with parameter names and values connected by '=' (sorted in ascending order of ASCII code, comparing the next letter if the first letters are the same).

    • Get

    ?aparam=2&aaparam=3&username=4802097272&abparam=1

    Process result: aaparam=3&abparam=1&aparam=2&username=4802097272

    • Post

    {"username":"4802097272","aparam":"2","abparam":"1","aaparam":"3"}

    Process result: aaparam=3&abparam=1&aparam=2&username=4802097272

Note: The parameter concatenation process should occur before the caller encodes the parameters in the URL. The concatenated parameters do not need to go through URL encoding; symbols such as "&", ":", or Chinese characters should remain as they are. The concatenation process is independent of the encoding process that occurs during the transmission of the request.

  1. All parts are connected with underscores "_" to form a complete concatenated string.

Full Example

Example of Parameters for Signing:

Example Interface: /service-pay/sellerApi/getMerchantByUsername

Merchant Public Key

Merchant Secret Key

Timestamp:

124124

URL:

/service-pay/sellerApi/getMerchantByUsername

HTTP Body:

null

Sorted and Concatenated String for Signing

124124_/service-pay/sellerApi/getMerchantByUsername_aaparam=3&abparam=1&aparam=2&username=4802097272

Signature Generation

Generate a SHA256withRSA digest using the 'Sorted and Concatenated String for Signing' result with the 'Merchant Private Key', and encode it in Base64.

Note: When passing the result from step 3 to SHA256withRSA for calculation, ensure that the string is UTF-8 encoded. Below is a Java code example.

The signature generated using the merchant's private key mentioned above is:

PreviousOrder Status NotificationNextUse OpenSSL to generate RSA keys

Last updated