Open API Authentication Method
OpenAPI
The following is a list of supported Open APIs:
openApiAll Open APIs mentioned in this document must go through the signature process, Send below parameters in HTTP Header
appKey | appkey from Merchant |
---|---|
appKey | appKey generate from merchant backup system |
timestamp | Time(milliseconds) |
signToken | Signature |
Process
Key management generates app_key and app_secret, which are stored in the pay_merchant_secret table on the server and exposed to the merchant.
Merchants use appKey:secret_key123 in the request header for querying interface calls.
For create, update, and delete operations, in addition to appKey, the merchant needs to sign with their private key and include a timestamp in the header (such as signToken:sign123, timestamp=1704643200000(ms)).
signToken Generation Rule
The merchant concatenates the pending signature string with the content: timestamp (in ms)_URI_param.
Use the private key to sign the above pending signature string (private key generation method) to generate the signToken.
Concatenation Explanation
The URI is the Path part, for example, /service-pay/sellerApi/getMerchantByUsername
Concatenate the parameters and their values into a string, with parameter names and values connected by '=' (sorted in ascending order of ASCII code, comparing the next letter if the first letters are the same).
Get
?aparam=2&aaparam=3&username=4802097272&abparam=1
Process result: aaparam=3&abparam=1&aparam=2&username=4802097272
Post
{"username":"4802097272","aparam":"2","abparam":"1","aaparam":"3"}
Process result: aaparam=3&abparam=1&aparam=2&username=4802097272
Note: The parameter concatenation process should occur before the caller encodes the parameters in the URL. The concatenated parameters do not need to go through URL encoding; symbols such as "&", ":", or Chinese characters should remain as they are. The concatenation process is independent of the encoding process that occurs during the transmission of the request.
All parts are connected with underscores "_" to form a complete concatenated string.
Full Example
Example of Parameters for Signing:
Example Interface: /service-pay/sellerApi/getMerchantByUsername
Merchant Public Key
Merchant Secret Key
Timestamp:
124124
URL:
/service-pay/sellerApi/getMerchantByUsername
HTTP Body:
null
Sorted and Concatenated String for Signing
124124_/service-pay/sellerApi/getMerchantByUsername_aaparam=3&abparam=1&aparam=2&username=4802097272
Signature Generation
Generate a SHA256withRSA digest using the 'Sorted and Concatenated String for Signing' result with the 'Merchant Private Key', and encode it in Base64.
Note: When passing the result from step 3 to SHA256withRSA for calculation, ensure that the string is UTF-8 encoded. Below is a Java code example.
The signature generated using the merchant's private key mentioned above is:
Last updated