About Reverse Validation
Reverse Validation Instructions
To ensure the security of interface interaction, Alchemy Pay initiates reverse requests for certain interfaces when merchants make requests. Merchants need to respond with the correct results upon receiving the request before proceeding to the next step. The specific process is as follows:
List of interfaces for reverse verification
| name | path |
|---|---|
| API For Creating Virtual Card | /open/api/card/create |
| API For Virtual Card Deposit | /open/api/card/deposit |
| API For Card Refund | /open/api/card/withdraw/refund |
| API For Deleting Card | /open/api/card/cancel |
Prior to testing or going live, merchants need to provide reverse verification addresses for the four interfaces mentioned above. Otherwise, testing or going live will not be possible.
Reverse verification interface interaction process
Using the example of the virtual card creation interface, here is the interaction process. The interaction process for the other three interfaces remains the same.
Interface rules
- requestMethod: GET
- requestPath: Provided by the merchant
- Request parameters
| Parameter | Type | Description |
|---|---|---|
| orderNo | string | The customer transaction reference number uploaded by the merchant in the request, returned as is. |
After receiving a request from Alchemy Pay, the merchant needs to respond with the following parameters
Response Headers
| Parameter | Type | Description |
|---|---|---|
| ach-access-key | string | key |
| ach-access-timestamp | string | 13-digit timestamp. |
| ach-access-sign | string | sign. Reference Reverse verification signature instructions |
Response content
success
After receiving a request from Alchemy Pay, the merchant must correctly return the signature in order to proceed with the next steps.
Reverse verification signature instructions
(1)Generate the string to be signed in a fixed order: timestamp + requestMethod + requestPath + bodyString. Example:
Merchant-provided reverse verification URL: https://www.xxxxx.com/card/reverse/check
Timestamp: 1700549311596
Response content: success
String to be signed: 1700549311596GET/card/reverse/checksuccess
(2)Generate the signature.
public class ReverseSign {
public static String sign(String content, String secretkey) throws NoSuchAlgorithmException, InvalidKeyException {
Base64.Encoder base = Base64.getEncoder();
String signVal = base.encodeToString(sha256(content.getBytes(StandardCharsets.UTF_8), secretkey.getBytes(StandardCharsets.UTF_8)));
return signVal;
}
public static byte[] sha256(byte[] message, byte[] secret) throws NoSuchAlgorithmException, InvalidKeyException {
Mac sha256_HMAC = Mac.getInstance("HmacSha256");
SecretKeySpec secretKey = new SecretKeySpec(secret, "HmacSha256");
sha256_HMAC.init(secretKey);
return sha256_HMAC.doFinal(message);
}
public static void main(String[] args) throws Exception {
String content = "1700549311596GET/card/reverse/checksuccess";
String secretkey = "XXXXX";
String sign = sign(content, secretkey);
System.out.println(sign);
}
}
Updated 10 months ago