Authentication
Data encryption
In order to ensure data security during transmission and prevent data leakage, sensitive data, such as card accounts and cardholders' names, need to be encrypted.
- AES encryption algorithm
- Merchants need to generate their own merchant secret key and keep it in a secure way
- AES encryption method: AesUtil.AESEncode(metadata, secret key)
- In case there are Chinese parameters, please encode with URLEncoder: URLEncoder.encode(param)
Signature
Mutual authentication is implemented. For requests, the caller needs to compute a digital signature and add the signature as part of the HTTP body. Conversely, for responses, Alchemy Pay provides its signature in the HTTP body in the response. The request signature is generated as follows:
| Step | Description | Example |
|---|---|---|
| 1 | Sort all parameters in ascending order according to parameter names | Parameter list: abc=value1 bcd=value2 bad=value3 Sort result: abc=value1 bad=value3 bcd=value2 |
| 2 | Connect all parameters with '&' | abc=value1&bad=value3&bcd=value2 |
| 3 | The client uses RSA private key to sign, and the server uses RSA public key to verify the signature | RsaUtil.sign(signature string, private key) |
| 4 | After receiving the request, the server decrypts the data first and then goes through the signature verification procedure on the decrypted data with RSA public key. If both decryption and signature verification are successful, the request is considered legitimate. |
Updated 5 months ago