Skip to main content

Direct Debit

Overview

This service is used to enable the user to make payment from merchant’s platform with redirecting to Paydia's platform. For detail information will be describe in the next part.

Paydia's API spec will contain 2 main endpoints which are:

NoAPI NameDescription
1Direct Debit PaymentThis API is used to initiate payment from merchant’s platform to Paydia
2Direct Debit Payment NotifyThis API is used to notify payment status and information from Paydia to merchant’s platform

Signature Generation and Validation

The below will explain about signature generation & validation.

Symmetric with B2B Access Token (HMAC_SHA512)

The following steps will explain about Symmetric with B2B Access Token (HMAC_SHA512).

Digital Signature Generation

Apply Token B2B Signature
  1. Compose the string to sign:
    2. X-CLIENT-KEY + "|" + X-TIMESTAMP
  2. The signature string is generated from string to sign above with applying SHA-256 with RSA-2048 encryption using pkcs8 private key, and then encode the result to base64.
  3. Put the signature string into HTTP header “X-SIGNATURE“ when call API for applying B2B access token.
Transaction Signature
  1. Compose the string to sign:
    2. HTTP METHOD + ”:” + RELATIVE PATH URL + “:“ + B2B ACCESS TOKEN + “:“ + LowerCase(HexEncode(SHA-256(Minify(HTTP BODY)))) + “:“ + X-TIMESTAMP
  2. The signature string is generated from string to sign above with applying HMAC_SHA512 hashing using secret key which given by Paydia, and then encode the result to base64.
  3. Put the signature string into HTTP header “X-SIGNATURE“ when call Paydia's API.

Digital Signature Validation

Apply Token B2B Signature

The below are steps of digital signature generation:

  1. Take the signature from HTTP header “X-SIGNATURE“.
  2. Decrypt the signature using public key which is pair with private key that used to generate the signature.
  3. Verify the correctness of the signature based on SHA-256 with RSA-2048 encryption signing against the string to sign.
  4. If the verification is correct, then consume the message.
Transaction Signature
  1. Compose the string to sign:
    2. HTTP METHOD + ”:” + RELATIVE PATH URL + “:“ + B2B ACCESS TOKEN + “:“ + LowerCase(HexEncode(SHA-256(Minify(HTTP BODY)))) + “:“ + X-TIMESTAMP
  2. Generate the signature from string to sign above with applying HMAC_SHA512 hashing using secret key which given by Paydia, and then encode the result to base64.
  3. Take the signature from HTTP header “X-SIGNATURE“.
  4. Compare the value between X-SIGNATURE and the generated signature, if those value are the same, then consume the message.

Asymmetric without Access Token (SHA256withRSA)

The following steps will explain about Asymmetric without Access Token (SHA256withRSA).

Asymmetric Key Generation

The below will explain about asymmetric key generation:

  • Create Private Key
    • openssl genrsa -out rsa_private_key.pem 2048
  • Export Public Key
    • openssl rsa -in rsa_private_key.pem -out rsa_public_key.pem -pubout
  • Private Key to PKCS#8 Encode
    • openssl pkcs8 -topk8 -in rsa_private_key.pem -out pkcs8_rsa_private_key.pem -nocrypt

Partner should generate the signature with pkcs8_rsa_private_key.pem and Paydia will use rsa_public_key.pem to validate the signature and vice versa.

Digital Signature Generation

The below are steps of digital signature generation:

  1. Compose the string to sign:
    • Apply token:
      • X-CLIENT-KEY + "|" + X-TIMESTAMP
    • Transactional:
      • HTTP METHOD + ”:” + RELATIVE PATH URL + “:“ + LowerCase(HexEncode(SHA-256(Minify(HTTP BODY)))) + “:“ + X-TIMESTAMP
  2. The signature string is generated from string to sign above with applying SHA-256 with RSA-2048 encryption using pkcs8 private key, and then encode the result to base64.
  3. Put the signature string into HTTP header “X-SIGNATURE“.

example:

X-SIGNATURE: 85be817c55b2c135157c7e89f52499bf0c25ad6eeebe04a986e8c862561b19a5

Digital Signature Validation

The below are steps of digital signature validation:

  1. Take the signature from HTTP header “X-SIGNATURE“.
  2. Decrypt the signature using public key which is pair with private key that used to generate the signature.
  3. Verify the correctness of the signature based on SHA-256 with RSA-2048 encryption signing against the string to sign.
  4. If the verification is correct, then consume the message.

Document Version

The following table is used to show versioning of this document:

NoDateVersionRemarksPage
1May 10, 20231.2.2
  • Removed B2B ACCESS TOKEN in Digital Signature Generation
  • Removed General Response Code section
2Nov 4, 20221.1.0Initial ReleaseEverything related to PayConnect