About Reverse Validation

Reverse Validation Instructions

To ensure the security of interface interaction, Alchemy Pay initiates reverse requests for certain interfaces when merchants make requests. Merchants need to respond with the correct results upon receiving the request before proceeding to the next step. The specific process is as follows:

List of interfaces for reverse verification

namepath
API For Creating Virtual Card/open/api/card/create
API For Virtual Card Deposit/open/api/card/deposit
API For Card Refund/open/api/card/withdraw/refund
API For Deleting Card/open/api/card/cancel

📘

Prior to testing or going live, merchants need to provide reverse verification addresses for the four interfaces mentioned above. Otherwise, testing or going live will not be possible.

Reverse verification interface interaction process

Using the example of the virtual card creation interface, here is the interaction process. The interaction process for the other three interfaces remains the same.

Interface rules

  • requestMethod: GET
  • requestPath: Provided by the merchant
  • Request parameters
ParameterTypeDescription
orderNostringThe customer transaction reference number uploaded by the merchant in the request, returned as is.

After receiving a request from Alchemy Pay, the merchant needs to respond with the following parameters

Response Headers

ParameterTypeDescription
ach-access-keystringkey
ach-access-timestampstring13-digit timestamp.
ach-access-signstringsign. Reference Reverse verification signature instructions

Response content

success

📘

After receiving a request from Alchemy Pay, the merchant must correctly return the signature in order to proceed with the next steps.

Reverse verification signature instructions

(1)Generate the string to be signed in a fixed order: timestamp + requestMethod + requestPath + bodyString. Example:

Merchant-provided reverse verification URL: https://www.xxxxx.com/card/reverse/check
Timestamp: 1700549311596
Response content: success
String to be signed: 1700549311596GET/card/reverse/checksuccess

(2)Generate the signature.

public class ReverseSign {

    public static String sign(String content, String secretkey) throws NoSuchAlgorithmException, InvalidKeyException {
        Base64.Encoder base = Base64.getEncoder();
        String signVal = base.encodeToString(sha256(content.getBytes(StandardCharsets.UTF_8), secretkey.getBytes(StandardCharsets.UTF_8)));
        return signVal;
    }

    public static byte[] sha256(byte[] message, byte[] secret) throws NoSuchAlgorithmException, InvalidKeyException {
        Mac sha256_HMAC = Mac.getInstance("HmacSha256");
        SecretKeySpec secretKey = new SecretKeySpec(secret, "HmacSha256");
        sha256_HMAC.init(secretKey);
        return sha256_HMAC.doFinal(message);
    }

    public static void main(String[] args) throws Exception {
        String content = "1700549311596GET/card/reverse/checksuccess";
        String secretkey = "XXXXX";
        String sign = sign(content, secretkey);
        System.out.println(sign);
    }
}