4.3. OAuth¶

OAuth Overview
OAuth Implementation
- HMAC-SHA1
- OAuth RSA-SHA256
Libraries

4.3.1. OAuth Overview ¶

This page allows you to generate OAuth signatures using a known good OAuth 1.0a library, https://oauth.net/1/. This way you can quickly identify if 403 Forbidden error received from the Apropay API server is due to a bad signature or another issue.

4.3.2. OAuth Implementation ¶

HMAC-SHA1 ¶

To generate request with OAuth HMAC-SHA1 authentication:
Generate Signature,
Generate Headers,
Generate Request.

OAuth HMAC-SHA1 Signature Generation ¶

To prepare the Signature Base String do the following steps:

1. Gather all request body parameters and OAuth parameters included in request body (oauth_consumer_key, oauth_nonce, oauth_signature_method, oauth_timestamp, oauth_version):
For oauth_consumer_key use a merchant login provided by Payment Gateway, ex. merchantlogin.
For oauth_nonce generate unique random nonce, ex. y3qlvMPky7g.
For oauth_signature_method set HMAC-SHA1.
For oauth_timestamp header get current timestamp in seconds, ex. 1669966913.
For oauth_version set 1.0.
Parameter oauth_signature must not be included in request body parameters (only in OAuth header).
2. Percent-encode value of each gathered on step 1 parameter. See RFC 3986 for reference. The unreserved characters can be encoded, but should not be encoded. The reserved characters have to be encoded, for example: % is encoded to %25, / is encoded to %2F, = is encoded to %3D.
3. Sort all gathered on step 1 parameters together with their values in lexicographical order by parameter name.
4. Concatenate all gathered on step 1 parameters and their values using & and = in the following way:

object1=valueOfObject1&object2=valueOfObject2...

Concatenated parameters string example:

noneclient-order-id=1234567890&oauth_consumer_key=merchantlogin&oauth_nonce=y3qlvMPky7g&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1669966913&oauth_version=1.0&sending-card-ref-id=7654321

5. Percent-encode each element (POST, URL, concatenated parameters) and construct Signature Base String with POST&URL&parameters structure (as documented in OAuth A.5.1.).

Signature Base String Example:

POST&https%3A%2F%2Fgate.apropay.com%2Fpaynet%2Fapi%2Fv2%2Fpan-eligibility%2Fsend%2FENDPOINTID&client-order-id%3D1234567890%26oauth_consumer_key%3Dmerchantlogin%26oauth_nonce%3Dy3qlvMPky7g%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1669966913%26oauth_version%3D1.0%26sending-card-ref-id%3D7654321

6. Encrypt Signature Base String with HMAC-SHA1. Encryption key is the concatenation of consumer secret (Merchant control key) + & + token secret (empty string).

HMAC-SHA1 Key Example:

11111111-1111-1111-1111-111111111111&

7. Encode encrypted string to Base64 to get signature.

Java HMAC-SHA1 Signature Generation Example:

package com.Doc2.0;

import org.apache.commons.codec.binary.Base64;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

public class HMAC_SHA1 {
    private static final String HMAC_SHA1_ALGORITHM = "HmacSHA1";

    public static String calculateHMAC(String data, String key) throws NoSuchAlgorithmException, InvalidKeyException {
        SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), HMAC_SHA1_ALGORITHM);
        Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
        mac.init(signingKey);
        return Base64.encodeBase64String(mac.doFinal(data.getBytes()));
     }
}

Signature will look like following string:

d/IPlITUmPcniwjA7Vckjr6WQeE=

OAuth HMAC-SHA1 Headers Generation ¶

A request with OAuth HMAC-SHA1 authentication method must contain next headers:

content-type=application/x-www-form-urlencoded (See OAuth 5.2.)
Authorization: OAuth

OAuth header must contain the same OAuth parameters and values which were included in request body (oauth_consumer_key, oauth_nonce, oauth_signature_method, oauth_timestamp, oauth_version). Add signature as value of parameter oauth_signature to header Authorization. All values of parameters in OAuth header must be in quotes (See OAuth 5.4.1.) with the following structure: parameter=”value” and be separated by mandatory comma (,) and optional space. OAuth realm parameter is optional.

Authorization Header Example (Header is line-separated for display purposes):

Authorization: OAuth
oauth_consumer_key="merchantlogin",
oauth_nonce="y3qlvMPky7g",
oauth_signature="d/IPlITUmPcniwjA7Vckjr6WQeE=",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1669966913",
oauth_version="1.0"

OAuth HMAC-SHA1 Request Generation ¶

Use headers from previous section,
Add request parameters to body,
Percent-encode and send the request.

Example of Request:

Request method:      POST
Request URI: https://gate.apropay.com/paynet/api/v2/pan-eligibility/send/1111
Headers: Authorization=OAuth realm="",oauth_version="1.0",oauth_consumer_key="merchantlogin",oauth_timestamp="1669966913",oauth_nonce="y3qlvMPky7g",oauth_signature_method="HMAC-SHA1",oauth_signature="d%2FIPlITUmPcniwjA7Vckjr6WQeE%3D"
        Accept=*/*
        Content-Type=application/x-www-form-urlencoded; charset=ISO-8859-1
Body: client-order-id=1234567890&oauth_consumer_key=merchantlogin&oauth_nonce=y3qlvMPky7g&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1669966913&oauth_version=1.0&sending-card-ref-id=7654321

Example of CURL Request:

curl -H '
Authorization: oauth_version="1.0",
oauth_consumer_key="merchantlogin",
oauth_timestamp="1669966913",
oauth_nonce="y3qlvMPky7g",
oauth_signature_method="HMAC-SHA1",
oauth_signature="d%2FIPlITUmPcniwjA7Vckjr6WQeE%3D"
' --data '
client-order-id=1234567890
&oauth_consumer_key=merchantlogin
&oauth_nonce=y3qlvMPky7g
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1669966913
&oauth_version=1.0
&sending-card-ref-id=7654321
' 'https://gate.apropay.com/paynet/api/v2/pan-eligibility/send/ENDPOINTID'

Java implementation example ¶

Here is an example of how to make a signed request in Java with help of Scribe library:

public String doPost(String url, Map<String, String>parameters) throws ConnectionIOException, ConnectionTimeoutException {
    OAuthConfig config = new OAuthConfig(apiToken, merchantControlKey, OAuthConstants.OUT_OF_BAND,
            SignatureType.Header, null,null);
    OAuthService service = new OAuth10aServiceImpl(new HmacSha1Mapi(), config);
    OAuthRequest request = new OAuthRequest(Verb.POST,url);
    for (Map.Entry < String,String >;entry :parameters.entrySet()){
        request.addBodyParameter(entry.getKey(), entry.getValue());
    } // empty token for 'two-legged'
    OAuth Token token = new Token("", "");
    service.signRequest(token, request);
    Response response = request.send();
    return response.getBody();
}

private static class Mapi extends DefaultApi {
    @Override
    public String getRequestTokenEndpoint() {
        return null; // not used
    } @Override public String getAccessTokenEndpoint() {
        return null; //not used
    }

    @Override
    public String getAuthorizationUrl(Token requestToken) {
        return null; // not used
    }
    @Override
    public SignatureService getSignatureService() {
        return new HMACSha1SignatureService();
    }
}

C# implementation example ¶

This example shows the C# OAuth implementation for Payout integration:

using System;
using System.Collections.Generic;
using System.IO;
using System.Security.Cryptography;
using System.Text;
using System.Net;

namespace ConsoleApplication1
{
    class Program

    {

        static void Main(string[] args)
        {
            string apiUrl = "https://sandbox.apropay.com/paynet/api/v2/payout/123";

            string consumerKey = "merchantlogin";
            string consumerSecret = "1EF4D28C-1111-2222-3333-444487505555";

            /* for oauth_timestamp */
            TimeSpan ts = DateTime.UtcNow - new DateTime(1970, 1, 1, 0, 0, 0, 0);
            string timestamp = Convert.ToInt64(ts.TotalSeconds).ToString();

            /* for oauth_nonce */
            /* (obviously you wouldn't create a new Random class every time!) */
            string nonce = new Random().Next(123400, 9999999).ToString();


            //oauth parameters, need sort alpabetical, use SortedDictionary
            IDictionary<string,string> oauthParams = new SortedDictionary<string, string>();
            oauthParams.Add("oauth_consumer_key",consumerKey);
            oauthParams.Add("oauth_nonce",nonce);
            oauthParams.Add("oauth_timestamp",timestamp);
            oauthParams.Add("oauth_signature_method","HMAC-SHA1");
            oauthParams.Add("oauth_version","1.0");


            //Prepare POST request params , add oauth params
            IDictionary<string,string> requestParameters = new SortedDictionary<string, string>(oauthParams);

            requestParameters.Add("account_number", "1234567890");
            requestParameters.Add("amount", "100");
            requestParameters.Add("bank_branch", "test_branch");
            requestParameters.Add("bank_name", "test_bank");
            requestParameters.Add("client_orderid", "12345");
            requestParameters.Add("currency", "USD");

            StringBuilder builder = new StringBuilder();

            foreach (KeyValuePair<string,string> pair in requestParameters)
            {
                if (builder.Length > 0)
                {
                    builder.Append("&");
                }
                //ATTENTION, call  Uri.EscapeDataString
                builder.Append(Uri.EscapeDataString(pair.Key)).Append("=").Append(Uri.EscapeDataString(pair.Value));
            }
            string normalizedParameters = builder.ToString();



            //create signature base string
            builder = new StringBuilder();

            builder.Append("POST").Append("&");
            builder.Append(Uri.EscapeDataString(apiUrl)).Append("&");
            builder.Append(Uri.EscapeDataString(normalizedParameters));

            string signatureBaseString = builder.ToString();


            // calculate signature, always add & to end consumerSecret
            byte[] signatureKeyBytes = Encoding.UTF8.GetBytes(consumerSecret + "&");

            HMACSHA1 sha1 = new HMACSHA1(signatureKeyBytes);

            /* generate the signature and add it to our parameters */
            byte[] baseStringBytes = Encoding.UTF8.GetBytes(signatureBaseString);
            byte[] baseStringHash = sha1.ComputeHash(baseStringBytes);
            string base64StringHash = Convert.ToBase64String(baseStringHash);
            oauthParams.Add("oauth_signature", base64StringHash);


            //create oauth Header
            string authHeader = createOAuthHeader(oauthParams);

            /* we are ready to send the request! */

            ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(apiUrl);
            request.Headers.Add("Authorization", authHeader);
            var data = Encoding.UTF8.GetBytes(normalizedParameters);
            request.Method = "POST";
            request.ContentType = "application/x-www-form-urlencoded";
            request.ContentLength = data.Length;
            request.Timeout = 30*1000;
            request.UserAgent = "DotNet";

            using (var stream = request.GetRequestStream())
            {
                stream.Write(data, 0, data.Length);
            }

            var response = (HttpWebResponse) request.GetResponse();
            var responseString = new StreamReader(response.GetResponseStream()).ReadToEnd();

            System.Console.WriteLine(responseString);
        }

        private static string createOAuthHeader(IDictionary<string, string> oauthParams)
        {
            StringBuilder builder = new StringBuilder("OAuth realm=\"\"");

            foreach (KeyValuePair<string, string> pair in oauthParams)
            {
                if (builder.Length > 0)
                {
                    builder.Append(",");
                }
                //ATTENTION, call  Uri.EscapeDataString
                builder.Append(string.Format("{0}=\"{1}\"", Uri.EscapeDataString(pair.Key), Uri.EscapeDataString(pair.Value)));
            }

            return builder.ToString();
        }
    }
}

Debug ¶

To reproduce your API call, input all of the data from your original request, including the authentication tokens. Don’t forget to set the nonce and timestamp to the values you used. An OAuth signed URL should match regardless of the generating library. If the signatures differ, you know there is a bug in your OAuth signature code.

HTTP method
URL
parameters
version
consumer key
consumer secret
token
token secret
timestamp
nonce
signature method

normalized parameters

signature base string

signature

authorization header

Curl

OAuth RSA-SHA256 ¶

To generate request with OAuth RSA-SHA256 authentication:
Generate Key Pair,
Generate Signature,
Generate Headers,
Generate Request.

Generating Key Pair ¶

To authorize future requests with RSA-SHA256, generate the key pair:

A PRIVATE key to sign the request. This private key must be kept secret from everyone.
A PUBLIC key to verify that the request was signed with the respective private key. Send it to support manager.

To generate keys download latest version of openssl and run following commands:

openssl genpkey -algorithm RSA -out private_key_pkcs_8.pem -pkeyopt rsa_keygen_bits:4096
openssl rsa -pubout -in private_key_pkcs_8.pem -out public_key.pem

Use different keys for production and for testing purposes to avoid compromise.

To use request builders in documentation, get the private key in PKCS#1 container. It should be unencrypted RSA private key in PKCS#1 PEM text format. To get it use the following command:

openssl rsa -in private_key_pkcs_8.pem -out private_key_pkcs_1.pem

For OpenSSL v3+ (tested on v3.0.5), use the following command instead:

openssl rsa -traditional -in private_key_pkcs_8.pem -out private_key_pkcs_1.pem

The resultant PKCS#1 RSA private key will start with —–BEGIN RSA PRIVATE KEY—–. For production purposes any format of the key supported by Connecting Party software can be used. Request builders in documentation support key length up to 4096. Example of the PKCS#1 RSA private key:

OAuth RSA-SHA256 Signature Generation ¶

To prepare the Signature Base String do the following steps:

1. Gather all request body parameters and OAuth parameters included in request body (oauth_consumer_key, oauth_nonce, oauth_signature_method, oauth_timestamp, oauth_version):
For oauth_consumer_key use a merchant login provided by Payment Gateway, ex. paydroid.
For oauth_nonce generate unique random nonce, ex. hoFlZri9c17X1Tvb7yD2fsMEQUIWBQ3m.
For oauth_signature_method set RSA-SHA256.
For oauth_timestamp header get current timestamp in seconds, ex. 1669720957.
For oauth_version set 1.0.
Parameter oauth_signature must not be included in request body parameters (only in OAuth header).
2. Percent-encode value of each gathered on step 1 parameter. See RFC 3986 for reference. The unreserved characters can be encoded, but should not be encoded. The reserved characters have to be encoded, for example: % is encoded to %25, / is encoded to %2F, = is encoded to %3D.
3. Sort all gathered on step 1 parameters together with their values in lexicographical order by parameter name.
4. Concatenate all gathered on step 1 parameters and their values using & and = in the following way:

object1=valueOfObject1&object2=valueOfObject2...

5. Percent-encode each element (POST, URL, concatenated parameters) and construct Signature Base String with POST&URL&parameters structure (as documented in OAuth A.5.1.).

Signature Base String Example:

POST&https%3A%2F%2Fgate.apropay.com%2Fpaynet%2Fapi%2Fv4%2Ftransfer%2FENDPOINTID&amount%3D10.42%26card_printed_name%3DJohn%2520Doe%26card_recurring_payment_id%3D42322%26client_orderid%3D1%26credit_card_number%3D4210708776705721%26currency%3DUSD%26cvv2%3D123%26deposit2card%3Dfalse%26destination-card-no%3D4232618181101636%26destination_card_recurring_payment_id%3D61622%26expire_month%3D12%26expire_year%3D2099%26ipaddress%3D1.1.1.1.1%26oauth_consumer_key%3Dpaydroid%26oauth_nonce%3DhoFlZri9c17X1Tvb7yD2fsMEQUIWBQ3m%26oauth_signature_method%3DRSA-SHA256%26oauth_timestamp%3D1669720957%26oauth_version%3D1.0%26order_desc%3DYour%2520order%2520description%26redirect_url%3Dhttp%253A%252F%252Fwww.example.com

6. Encrypt Signature Base String with RSA-SHA256 using the private key obtained in previous section.
7. Base64 encode the encrypted string to get signature.
Base64 Encoded Signature Example:

K0hLc7GYh65UDTNvJvJbqoD95T7ekVEwIx+AxLBe2rNndPVzCAZMTi58J5pJlXZA1qOrgzUj/uL764NofP6qrqBXHX9Fpg+PdoMBey7zY9nMOmtdpHhkwyqA0n8e8oh68x+8RtC1+gmaIsIJDVurpCm2CdaViC2ny90GWPrrSin9CFwDmIKBtOJ7dxNnuFQJkvLxwK9JE9gRfQssG4vOrXrn2f5DvENFvFW3fL7meiN3mKuBFyEHIv2cibWopoUTQrxAgCfTHvRuU5nRIct9oWgCYLYzROOPyAIjtyDFKcTnUql9+tD2+p2rMDDU7HqJUGy764rb4ShuvuiuEvzIaNwg3JAxho9fqcKJz5LXt4efX1i8oFt33ztYSgZRojsoW4HCzuhZcQQmRexpmtCGYKqH3Q2BsG2jIkQAxL9BOUOzXNoeXoVQIf3+47cJ0KujEHuDXROblq3o9Uos5K+Mu9Carjs8jHMiBHo4aS4IAgXVY3mEuohCuRhL9/Y9buuyvdKSNsao7qHwD/6bb9Sj2MFFhYP6gHf+p1NipH05224aX9hMZty8Ovb3+ps/wNWYC8NVfft5bh8ETowaHQ5TUOPFdvU+5IkHOnnfbvz1/+jDeErd0Pdq4xH6c5/gZVQY9j6DFpazsw8d3karwXoBduv7I3mh7L3CSjTweABaRMw=

OAuth RSA-SHA256 Headers Generation ¶

A request with OAuth RSA-SHA256 authentication method must contain next headers:

content-type=application/x-www-form-urlencoded (See OAuth 5.2.)
Authorization: OAuth

OAuth header must contain the same OAuth parameters and values which were included in request body (oauth_consumer_key, oauth_nonce, oauth_signature_method, oauth_timestamp, oauth_version). Add signature as value of parameter oauth_signature to header Authorization. All values of parameters in OAuth header must be in quotes (See OAuth 5.4.1.) with the following structure: parameter=”value” and be separated by mandatory comma (,) and optional space. OAuth realm parameter is optional.

Authorization Header Example (Header is line-separated for display purposes):

Authorization: OAuth
oauth_consumer_key="paydroid",
oauth_nonce="hoFlZri9c17X1Tvb7yD2fsMEQUIWBQ3m",
oauth_signature="K0hLc7GYh65UDTNvJvJbqoD95T7ekVEwIx%2BAxLBe2rNndPVzCAZMTi58J5pJlXZA1qOrgzUj%2FuL764NofP6qrqBXHX9Fpg%2BPdoMBey7zY9nMOmtdpHhkwyqA0n8e8oh68x%2B8RtC1%2BgmaIsIJDVurpCm2CdaViC2ny90GWPrrSin9CFwDmIKBtOJ7dxNnuFQJkvLxwK9JE9gRfQssG4vOrXrn2f5DvENFvFW3fL7meiN3mKuBFyEHIv2cibWopoUTQrxAgCfTHvRuU5nRIct9oWgCYLYzROOPyAIjtyDFKcTnUql9%2BtD2%2Bp2rMDDU7HqJUGy764rb4ShuvuiuEvzIaNwg3JAxho9fqcKJz5LXt4efX1i8oFt33ztYSgZRojsoW4HCzuhZcQQmRexpmtCGYKqH3Q2BsG2jIkQAxL9BOUOzXNoeXoVQIf3%2B47cJ0KujEHuDXROblq3o9Uos5K%2BMu9Carjs8jHMiBHo4aS4IAgXVY3mEuohCuRhL9%2FY9buuyvdKSNsao7qHwD%2F6bb9Sj2MFFhYP6gHf%2Bp1NipH05224aX9hMZty8Ovb3%2Bps%2FwNWYC8NVfft5bh8ETowaHQ5TUOPFdvU%2B5IkHOnnfbvz1%2F%2BjDeErd0Pdq4xH6c5%2FgZVQY9j6DFpazsw8d3karwXoBduv7I3mh7L3CSjTweABaRMw%3D",
oauth_signature_method="RSA-SHA256",
oauth_timestamp="1669720957",
oauth_version="1.0"

OAuth RSA-SHA256 Request Generation ¶

Use headers from previous section,
Add request parameters to body,
Percent-encode and send the request.

Example of Request:

Request method: POST
Request URI: https://gate.apropay.com/paynet/api/v4/transfer/4473
Headers: Authorization= OAuth oauth_nonce="C12mCYiI4RDeVTvyZDHS3f0vUbBNrK9G", oauth_signature="S4ahUgep8EV3RTIPdcpO%2FzEwB8V1XwFcGi5zhrYKySPVVA2PAY7AxezPcOCMhMwZQfcf8VOH8O9v5zZ%2BmYV2Qsq4kjPe1zEJIjjdjhI%2B2MX9VW8dWn9DyoTD2lkOYUwGsCteXU6mwGtNergN5KwGTJgqYPfzWFLllSAhGwuOd%2FgHYVRnA6jd4FvywRaRiSsnzgsasGJjWCGzX%2F1B8L78H%2FqD1W7dNJHjC2JbonUiHVT4aOs74qpqYE9zcb5rK8PH1l2ems3ArXhqFaSF85%2BYzJ%2BkSeDswqeIZ1y3NS8XPrmaLeymLNqKpOfAl9Ng47AmIjSYEw3s5fQ7Xi9t4j7Y6fQA4RnIzIdmH4oeMiyzn7dpA87wqnXm5AIm6Den2TJaDg90UoCMXuGHkqfL8GGUSjaWleTOHlk%2FO4dBGDRw4LP1aEaJktQRmT5xwyoaQfz%2Bh2MR7zDpRbVZDpUto1iYlQl5UlgojOHaLLjW1gqggbvrtVXUBT73KcIboWW00VUcbVUX5Yb%2FSu7hUZO2fNAh4LYrsVcXRJxCZuwhXCiqvbR3EziEFDGVEZnKUDLCodzHbVA9hbpxHGa7TvSLFEANCPDFtapMF9eo%2F1yOt5Tkxag4g5yNes93lrVabsTqckiFIfKR2R3CcwJ6MQtMfo8ticJcKxfo2v%2BTkC0bEaRkBGk%3D", oauth_consumer_key="ny_qa_merchant", oauth_signature_method="RSA-SHA256", oauth_timestamp="1669892964", oauth_version="1.0"
    Accept=*/*
    Content-Type=application/x-www-form-urlencoded; charset=ISO-8859-1
Body: cvv2=123&ipaddress=1.1.1.1&amount=15.42&credit_card_number=4210708776705721&client_orderid=1&deposit2card=false&destination-card-no=4232618181101636&expire_month=12&order_desc=Your%20order%20description&card_printed_name=Vasia%20Pupkin&currency=RUB&expire_year=2099&redirect_url=http%3A%2F%2Fwww.example.com

Example of CURL Request:

curl -H '
Authorization: OAuth oauth_consumer_key="paydroid",
oauth_nonce="JOARJWjXJgfRUVqig8HIs0ouFWKfK4N5",
oauth_signature="k5Z0XCVdDvb5h873XG6TDMO854PsuueSnSby4h0%2F3j4TKraY6ebjoFfDmndI09%2FQp6uEbCgKregNY5N0ccIVIay49l6v7jMdIFEfqU7E5eu%2BIJcoqG7kMFcdCu29hweYx7p4ZSk%2FUtdGlN3wyUUybCAx73XYoO0tkZteAleyzQlzdpzQ99vPS8FN2WMbNdzU3H2PLf0XOZy4DbAPleZGfu3GWxXe9erGsvzBJozs3WFxiPFeULfzWWsNc1h1P7cnzNbZqXkI%2BV3qiG3jc7tDqGRZP%2BLZFw3nihNlW%2F2Nlp%2FId6QG8kPNOEx2GxAuQa8kufv%2BbpohU8UftZG1SnNfoa4nDVgNbWoSbTXbgXxwHE0ZlccwT6q%2BHbTmgggvIdGN9JuuLUL8fDSCxqu3R7YMvcwArzrkd1XEFUFvYWxHc3QpfbBu0GyLkL7pnmz%2BFPTH48COZ7yXbK6nQDFSIy8lmaEJsnnjMYyMMVgjNkDNzqwNxOQuwprTZ7KzHqWrTj0zHTOHl44q1pJhIqMwxWDPMsziExYbAzxuOkdQFZi%2BK%2Bu3M7tvG5Foy7Vwj%2BDSPMPAhj7j2AmUG4HzaJcpiBWMq0CkGWRjvneOk3NiwkEwOxq5tJOFjsroditUqJQSX1PTqf%2FtuiqaE2Gt5EYl19ZzyXbxtMjGZwL%2BzF1cT6ftTi4%3D",
oauth_signature_method="RSA-SHA256",
oauth_timestamp="1669892687",
oauth_version="1.0"
' --data '
amount=10.42
&card_printed_name=John%20Doe
&card_recurring_payment_id=42322
&client_orderid=1
&credit_card_number=4210708776705721
&currency=USD
&cvv2=123
&deposit2card=false
&destination-card-no=4232618181101636
&destination_card_recurring_payment_id=61622
&expire_month=12
&expire_year=2099
&ipaddress=1.1.1.1.1
&order_desc=Your%20order%20description
&redirect_url=http%3A%2F%2Fwww.example.com
' 'https://gate.apropay.com/paynet/api/v4/transfer/ENDPOINTID'

Debug ¶

To reproduce your API call, input all of the data from your original request, including the authentication tokens. Don’t forget to set the nonce and timestamp to the values you used. An OAuth signed URL should match regardless of the generating library. If the signatures differ, you know there is a bug in your OAuth signature code. Due to current PCI DSS restrictions only OAuth 1.0a RSA-SHA256 signature is allowed. Other signature methods are restricted. So to send command to the server your request should be: sent as POST, contains OAuth 1.0a headers, signed with RSA-SHA256.

Enter your private key in PKCS#1 container to use debug.

Debug form

Fillup mandatory fields (the red ones) with appropriate values. Empty values will not be included in output.

Use either destination-card-no or destination-card-ref-id

URL		input URL
login		your login should be used as Consumer Public for OAuth
client_orderid		make it or use your internal invoice ID
destination-card-no		enter the beginning of the sequence, and then "i".
destination-card-ref-id
order_desc
amount
currency
ipaddress
first_name
middle_name
last_name
ssn
birthday
address1
city
state
zip_code
country
phone
cell_phone
email
purpose
receiver_first_name
receiver_middle_name
receiver_last_name
receiver_phone
receiver_resident
receiver_identity_document_series
receiver_identity_document_number
receiver_identity_document_id
receiver_address1
receiver_city
redirect_url
redirect_success_url
redirect_fail_url
server_callback_url
merchant_data

Normalized parameters string to sign, according to OAuth 1.0a rules

POST body parameters to submit

OAuth 1.0a headers to submit.

HEX Encoded Signature

^{* HEX encoded string is for debug purposes only. You shouldn't send this string to the server neither in HEX nor in Encoded HEX representation.}

Base64 Encoded Signature

^{* Binary RSA-SHA256 signature directly encoded in base64 should be sent to the server.}

RSA-SHA256 Integration example ¶

This is an example of integration to Apropay server: * PHP

4.3.3. Libraries ¶

We use a simplified flow in which there’s no external authenticator, and there’s no access token and its secret; only the last step of the flow is used.

Merchant login is specified as client identifier (aka consumer key or API token).

A lot of OAuth 1.0a libraries for various programming languages can be found here .
RSA-SHA256 signing method is usually not present in OAuth libraries, but such libraries can be further adjusted by merchant’s tech team.
Some libraries which may be used:

Quick search

4.3. OAuth¶

Debug form