API Docs

Signatures and Security

Docs > API Docs

Data sent to your server from the user’s browser cannot be trusted. When receiving a transaction confirmation from @Pay’s JS API, @Pay provides a signature that can act as a trusted corroboration of the data within the confirmation.

If the data from @Pay’s JS API transaction confirmation will not affect your data or your process, or you rely solely on data sent directly to you from @Pay, you do not need to verify the signature on the javascript response.

The signature on a successful registration is the HMAC-SHA1 hex digest value of the returned credit card token signed with your private key. Verify this on your server (note that the transaction on the response object will not exist if you don’t perform a transaction on the registration request).

$.post("/token/verification", {
  signature: response.signature,
  transaction_id: response.transaction.id,
  transaction_signature: response.transaction.signature,
  transaction_balance: response.transaction.balance,
  token: response.atpay_token,
}, function(response){
  if(response.status == 'ok'){
    alert("OK");
  }else if(response.status == 'fail'){
    alert("FAIL");
  }
});

Copy   -   Expand

And on the server (sample in ruby):

require 'openssl'

# ...
digest = OpenSSL::HMAC.hexdigest("sha1", ATPAY_PRIVATE_KEY, params[:token])
transaction_digest = OpenSSL::HMAC.hexdigest("sha1", ATPAY_PRIVATE_KEY, "\#{params[:transaction_id]}/\#{params[:transaction_balance]}")

if digest == params[:signature] and transaction_digest == params[:transaction_signature]
  render :json => { :status => "ok" }
else
  render :json => { :status => "fail" }
end
# ...
});

Copy   -   Expand

Top