Signature Validation
Payright signature authentication enhances API security by generating a unique signature for every request. This mechanism ensures both the validity and integrity of API interactions. Each signature contains iat
(issued at) and exp
(expires at) fields, giving merchants flexibility to define the request's expiration timeframe. Merchants can choose to activate or deactivate this feature depending on their specific security preferences.
How to Enable and Disable Signature
Merchants can manage the signature feature by navigating to Account > API Keys > Edit > JWT Verification, where they can enable or disable it as needed.
Guide To Construct Signature Body
Encode JSON Object Using HS256
Once enabled, the system will validate each incoming API request by encoding the following payload using JWT with the HS256 algorithm.
{
"auth-token": authToken,
"http_method": "POST",
"url_path": "/api/v1/example",
"iat": currentTime,
"exp": currentTime + 300 // Token expires in 5 minutes
}
Request Header Injection
Merchant application must generate a JWT-encoded (HS256) signature of the JSON object using the hash key as the secret key. This hash key is available in the Merchant Portal, and the resulting encoded output will be used as the X-Signature.
The generated X-Signature is added to the request headers. These headers will contain the following:
x-signature
: The HMAC-SHA256 signature.
Validation of Signature
The server verifies the X-Signature by reconstructing the message and comparing it with the signature included in the header. If the two signatures align, the request is deemed valid and proceeds for processing.
Sample Header
An example of an API request header with an HMAC signature and supplementary headers is shown below:
POST /api/v1/merchant/bills HTTP/1.1
Host: https://api.payright-sandbox.my/api/v1/merchant/bills
Content-Type: application/json
auth-token : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.TFAtQjgxNjJFRTAtTU18NTI3Nz
x-signature: '{{signature}}
Last updated