支付API
English
English
  • Welcome 👏
  • Description
    • Access instructions
    • Safety information
    • Payment method
    • Signature generation
    • Signature verification
    • Decrypt callback
    • Data structure
  • Currency
    • Currency information
  • Order
    • Order creation
    • Order inquiry
    • Callback notification
    • Order closure
  • Payout
    • Payout inquiry
    • Create Payout
    • Callback
    • Cancel Payout
  • Wallet
    • Wallet addition
    • Wallet update
    • Wallet deletion
    • Wallet inquiry
    • Callback notification
  • Error code
    • Status code
Powered by GitBook
On this page
  • Concatenate
  • Reply
  • Judgment
  1. Description

Signature verification

TIP

The merchant can verify the signature of the response or callback by following the steps below.

If the request signature of the verified merchant is correct, tokenpay includes the reply signature in the HTTP header of the reply. We recommend that merchants verify the response signature.

Similarly, tokenpay includes the signature of the callback packet in the HTTP header of the callback. The merchant must verify the signature of the callback to ensure that the callback was sent by tokenpay.

Concatenate

Firstly, the merchant obtains the following information from the response.

  • Reply timestamp in HTTP header tokenpay-Timestamp.

  • Reply to a random string in the HTTP header tokenpay-Nonce.

  • Response Body, check the interface according to the order returned by the interface. An incorrect order will cause the check failure.

The signature string has three lines, one parameter per action. The line ends with \n (line break, The ASCII encoding value is 0x0A), and don't add \n on the last line. If the parameter itself ends in \n , you also need to attach an \n.

Reply timestamp\n
Reply random string\n
Reply message body

For example, an HTTP reply message is as follows:

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 02 Apr 2019 12:59:40 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 2204
Connection: keep-alive
Keep-Alive: timeout=8
Content-Language: zh-CN
tokenpay-Nonce: c5ac7061fccab6bf3e254dcf98995b8c
tokenpay-Signature: CtcbzwtQjN8rnOXItEBJ5aQFSnIXESeV28Pr2YEmf9wsDQ8Nx25ytW6FXBCAFdrr0mgqngX3AD9gNzjnNHzSGTPBSsaEkIfhPF4b8YRRTpny88tNLyprXA0GU5ID3DkZHpjFkX1hAp/D0fva2GKjGRLtvYbtUk/OLYqFuzbjt3yOBzJSKQqJsvbXILffgAmX4pKql+Ln+6UPvSCeKwznvtPaEx+9nMBmKu7Wpbqm/+2ksc0XwjD+xlvlECkCxfD/OJ4gN3IurE0fpjxIkvHDiinQmk51BI7zQD8k1znU7r/spPqB+vZjc5ep6DC5wZUpFu5vJ8MoNKjCu8wnzyCFdA==
tokenpay-Timestamp: 1554209980
Cache-Control: no-cache, must-revalidate

{"app_id":"xxxx"}

Then the signature string is

1554209980
c5ac7061fccab6bf3e254dcf98995b8c
{"app_id":"xxxx"}

Reply

The tokenpay reply signature is transmitted through the HTTP header tokenpay-Signature. (Note: Example because typesetting may contain line breaks, the actual data should be on one line)

CtcbzwtQjN8rnOXItEBJ5aQFSnIXESeV28Pr2YEmf9wsDQ8Nx25ytW6FXBCAFdrr0mgqngX3AD9gNzjnNHzSGTPBSsaEkIfhPF4b8YRRTpny88tNLyprXA0GU5ID3DkZHpjFkX1hAp/D0fva2GKjGRLtvYbtUk/OLYqFuzbjt3yOBzJSKQqJsvbXILffgAmX4pKql+Ln+6UPvSCeKwznvtPaEx+9nMBmKu7Wpbqm/+2ksc0XwjD+xlvlECkCxfD/OJ4gN3IurE0fpjxIkvHDiinQmk51BI7zQD8k1znU7r/spPqB+vZjc5ep6DC5wZUpFu5vJ8MoNKjCu8wnzyCFdA==

Judgment

PreviousSignature generationNextDecrypt callback

Last updated 1 month ago

Use the method of AES-256-ECB to generate signatures (You can reference ). The generated signature is compared with the reply signature. If not, the data is tampered with.

signature generation