Linkpay API
  1. Guide
Linkpay API
  • Guide
    • LinkPay Overview
    • How does LinkPay work
    • Merchant Onboarding
    • How to Integrate with LinkPay
    • Signature and Message Header
    • Customization Service
    • Payment methods list
    • Payment Method Variant list
    • Result Code
    • Version Record
    • Agent Toolkit Overview
    • Agent Toolkit Quick Start
    • LinkPay Copy
  • Guide Copy
    • LinkPay Overview
    • How to Integrate with LinkPay
    • How does LinkPay work
    • Signature and Message Header
    • Customization Service
    • Payment methods list
    • Version Record
    • Result Code
    • Merchant Onboarding
    • Payment Method Variant list
    • Agent Toolkit Overview
    • Agent Toolkit Quick Start
    • LinkPay Copy
  • API
    • LinkPay
      • Result Code
      • LinkPay
    • Retrieve LinkPay
      • Result Code
      • Retrieve LinkPay
    • Refund
      • Result Code
      • Refund
    • Retrieve LinkPay Refund
      • Result Code
      • Retrieve LinkPay Refund
    • Notification
      • Result Code
      • LinkPay Notification
      • Refund Notification
  1. Guide

Signature and Message Header

Signature and Message Header#

To verify the integration of messages, each API request and response includes a message signature that must be validated. The message sender must generate the signature before sending the message, and the receiver must validate the signature before processing the message. The process of generating /validating the message signature involves the following steps.

Signature Algorithm Description#

Step 1: Generate a signature string
HTTP method, URL string, DateTime, Key, msgID and HTTP body are concatenated in fixed order with newlines(\n) to get the signature string.
HTTP method: POST/GET/PUT/DELETE.
URL string: URL path + URL parameters.
DateTime: Time to be sent in the request. The format is
YYYY-MM-DDThh:mm:ss+hh:00. Such as 2020-03-04T15:39:40+08:00.
Key: Key assigned by EVO Cloud for signing / verifying.
MsgID: The suggested value is UUID or GUID to mark this request, such 2d21a5715c034efb7e0aa383b885fc7a. Do not exceed 32 characters in length.
HTTP body: All the parameters that you want to send in request body. (GET type request without this parameter)
Step 2: Calculate signature ciphertext
Sign the signature of the string by using SHA256, SHA512, HMAC-SHA256 or HMAC-SHA512.
Step3: Put the signature into the Header of HTTP request
Authorization in Header of HTTP request is set as sign.

HTTP Header#

Below parameters are mandatory to be sent in HTTP header.
Authorization: Sign value.
Content-type: application/json.
DateTime: The request time. The format is
YYYY-MM-DDThh:mm:ss+hh:00. Such as 2020-03-04T15:39:40+08:00.
MsgID: The suggested value is UUID or GUID to mark this request, such as 2d21a5715c034efb7e0aa383b885fc7a. Do not exceed 32 characters in length.
SignType: Algorithm for calculating signatures. SHA256, SHA512, HMAC-SHA256 or HMAC-SHA512.

Example of signature#

For example, the JSON message to be sent is as below:
The first step is to generate the signature string stringSign (using newlines(\n) for connection), assuming signing key = hJ2uGZX2fadzOaYIQifxYVgcIxd60y5C0HlNIRyL2tc.
*Please notice the space if you copy below sample from PDF to confirm signature.
• The second step is to calculate the signature value.
Sign Type is SHA256
Sign Type is HMAC-SHA256
• The third step is to put sign in the Header.
• Final data sent (CURL version):

Verify the message signature for the message to be received from EVO Cloud#

It is highly recommended that the merchant verifies the signature of the message from EVO Cloud, including the API response message and notification message.
Here is an example of the response message from EVO Cloud for the above request sample. The following steps show how to verify the signature for it:
Step 1: Construct the string to be signed
Obtain the response body, and use the same rule described in 4.1 to construct the string to be signed. (For GET type’s response the body need to be added in the string)
Here is the example of the string to be signed:
Important: For notification, the Request URL in signed string is the webhook in the request message. And webhook is defined by merchant. If the webhook does not have Path part. Then this line will be not existed. Such as:
Step 2: Calculate the signature value
Get the SignType in the HTTP header, and use the algorithm specified by SignType to calculate the hash of the string to be signed.
In the example above, use SHA256 to calculate the hash of the string above, the signature value is 55b6209adf43213fbacdbc618f34f63a3cf3d1cb670aba86a8bd43bf29f3d9d9.
Step 3: Verify the signature value
Get the Authorization in the HTTP header and compare the value with the signature value calculated above to see if they are matched. If matched, go ahead to apply the business logic processing on the merchant side. Otherwise if unmatched, don't continue the business logic processing on the merchant side, check whether the sign key is correct or not, and contact EVO Cloud account manager for help if needed.
Modified at 2024-08-07 01:31:35
Previous
How to Integrate with LinkPay
Next
Customization Service
Built with