# Signature

### Asymmetric Signature <a href="#asymmetric-signature" id="asymmetric-signature"></a>

Asymmetric Signature used in Finnet is to verify that your access token request is not temper or altered by attackers.

The outline of the HMAC validation process are as follows :

1. Retrieve Timestamp from HTTP Header (X-TIMESTAMP).
2. Retrieve the Client Key form HTTP Header (X-CLIENT-KEY).
3. Lookup the API Secret corresponding to the received key in internal store.
4. Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE).
5. Calculate HMAC using the API Secret as the HMAC secret key.
6. Compare client HMAC with calculated HMAC.

If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code along with the following error message on JSON format:

```
{
"responseCode" : "4017300",
"responseMessage" : "Unauthorized. Invalid Signature"
}
```

If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.

#### Generate Asymmetric Signature <a href="#generate-asymmetric-signature" id="generate-asymmetric-signature"></a>

SHA256withRSA is used to generate the signature with your Private Key as the key :

```
X-SIGNATURE = SHA256withRSA(PrivateKey, StringToSign)
```

Note = `X-SIGNATURE` should be encoded by **Base64**

The StringToSign will be a colon-separated list derived from some request data as below :

```
StringToSign = client_ID+"|"+X-TIMESTAMP
```

{% hint style="danger" %}
NOTE

Partner need to send their public key in x.509 format for Finnet to use when verifying signature
{% endhint %}

Sample public key in x.509 format :

```
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAomV+Vm1xlRXanmh108Kusls7SSKec0oCejtc9QG
Obpd4RnQ+7gihm2k6etnSNP7b+XrpY+fBkiQNaBInii9M10kW9Bhf/M9GH/edL3IqnzDNSi7tcoQgnO7h8x
mzLNWHTjtR6bkrsdBS5dry6htotaF5KXomuoYgztCdGDOa0W20aeLzYSXIoW7s/Ay5yIXt0xaXTll3/bmez
leguFPnwQZq5EqZFWlUZvutDi+f2l9rTRY0Fb64y+VAf+mnIbEovGqsPEeF/p97YWxcY7CWm8NsT0lwBVOt
kmEl967Brz5yvEObF5bJgVodi6mNVsN1ki0MCitIhYO8shcE7eUilQIDAQAB
-----END PUBLIC KEY-----
```

### Symmetric Signature <a href="#symmetric-signature" id="symmetric-signature"></a>

Symmetric Signature is used by Finnet to verify that your open api service request is not tempered or altered by attackers.

The outline of the HMAC validation process is as follows:

1. Retrieve Timestamp from HTTP Header (X-TIMESTAMP)
2. Retrieve the Client Key form HTTP Header (X-CLIENT-KEY)
3. Lookup the API Secret corresponding to the received key in internal store
4. Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-SIGNATURE)
5. Calculate HMAC using the API Secret as the HMAC secret key
6. Compare client HMAC with calculated HMAC

If HMAC hash comparison is invalid API Gateway will return a HTTP 401 error code together with the following error message on JSON format:

```
{
"responseCode" : "401xx00",
"responseMessage" : " Unauthorized. Invalid Signature"
}
```

Note : xx corresponding service code.

If the HMAC calculation is successful and the calculated value matches the value received from the client, the signature is considered valid.

#### Generate Symmetric Signature <a href="#generate-symmetric-signature" id="generate-symmetric-signature"></a>

SHA-512 HMAC is used to generate the signature with your Client Secret as the key :

```
X-SIGNATURE = HMAC-SHA512(ClientSecret, StringToSign)
```

Note = `X-SIGNATURE` should be encoded by **Base64**

The StringToSign will be a colon-separated list derived from some request data as below :

```
StringToSign = HTTPMethod+":"+RelativeUrl+":"+AccessToken+":"+Lowercase(HexEncode(SHA-256(MinifyJson(RequestBody))))+":"+Timestamp
```

HexEncode are optional to use, use it if the SHA-256 returns a binary stream.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.finpay.id/api-reference/finpay-pg/snap/signature.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.