For the previous version of this API Reference, please refer to the legacy documentation here.
hub.finpay
Ctrlk
DocumentationAPI ReferenceDashboardFinpay Website
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Signature

Asymmetric Signature

Asymmetric Signature used in Finnet is to verify that your access token request is not temper or altered by attackers.

The outline of the HMAC validation process are as follows :

  1. Retrieve Timestamp from HTTP Header (X-TIMESTAMP).

  2. Retrieve the Client Key form HTTP Header (X-CLIENT-KEY).

  3. Lookup the API Secret corresponding to the received key in internal store.

  4. Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE).

  5. Calculate HMAC using the API Secret as the HMAC secret key.

  6. Compare client HMAC with calculated HMAC.

If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code along with the following error message on JSON format:

{
"responseCode" : "4017300",
"responseMessage" : "Unauthorized. Invalid Signature"
}

If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.

Generate Asymmetric Signature

SHA256withRSA is used to generate the signature with your Private Key as the key :

Note = X-SIGNATURE should be encoded by Base64

The StringToSign will be a colon-separated list derived from some request data as below :

Note

Partner need to send their public key in x.509 format for Finnet to use when verifying signature

Sample public key in x.509 format :

Symmetric Signature

Symmetric Signature is used by Finnet to verify that your open api service request is not tempered or altered by attackers.

The outline of the HMAC validation process is as follows:

  1. Retrieve Timestamp from HTTP Header (X-TIMESTAMP)

  2. Retrieve the Client Key form HTTP Header (X-CLIENT-KEY)

  3. Lookup the API Secret corresponding to the received key in internal store

  4. Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE)

  5. Calculate HMAC using the API Secret as the HMAC secret key

  6. Compare client HMAC with calculated HMAC

If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code together with the following error message on JSON format:

Note : xx corresponding service code.

If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.

Generate Symmetric Signature

SHA-512 HMAC is used to generate the signature with your Client Secret as the key :

Note = X-SIGNATURE should be encoded by Base64

The StringToSign will be a colon-separated list derived from some request data as below :

HexEncode are optional to use, use it if the SHA-256 returns a binary stream.

PreviousAuthorization & HeadersNextAccess Token B2B

Last updated