To ensure operation integrity and perform secure transactions, a security signature must be included in every request. This signature validates that the data has not been tampered with and originates from an authenticated merchant.
To generate this signature, the following 4 elements are required:
key ID: The merchant's public key.order_id: The unique order identifier.endpoint: The entry point or identifier of the service being used.secret key: The merchant's secret key (used to sign the hash).IMPORTANT: SECURITY ALERT
The generation of this signature MUST be performed strictly on the Server-Side (Backend).
Under no circumstances should you perform this process on client-side applications (Frontend or Mobile Apps), as doing so would expose your secret key to the public. If an attacker obtains your secret key, they could generate fraudulent transactions on your behalf. Keep your verification logic and keys protected on your server.
Concatenation: Create a string by concatenating the elements in the following specific order, using the | (pipe) character as a delimiter: Pattern: key_id|order_id|endpoint
Hashing (Encryption): The new security standard requires the use of HMAC with the SHA-3 family. The concatenated string must be processed using the HMAC-SHA3-512 algorithm, assigning your secret_key as the cryptographic key.
Ejemplo
| Name | Value |
|---|---|
key ID |
7812290000 |
order_id |
00000123 |
endpoint |
https://pixelpay.app |
secret key |
3422da00-4dc2-4602-d366-56ac7 |
String to sign: 7812290000|00000123|https://pixelpay.app
Result (Signature): By applying HMAC-SHA3-512 with the secret key on the string above, you will obtain the required value to authorize the transaction.
To see implementation examples in our use cases, click here.