Signing
For security purposes, we require ALL IOTPay API requests to be signed.
This sign should be included as part of each API request.
Signature algorithm
Example: var ex_body= { "c":"cat", "a":"apple", "b":"boat", "d":""};
Step 1:
Remove all keys with empty values in copied body object
ex_body= { "c":"cat", "a":"apple", "b":"boat"};
Step 2:
Sort resulting body by key in ascending lexicographic order
ex_body= {"a":"apple" "b":"boat", "c":"cat"};
Step 3:
Concatenate resulting body into new string in URL parameter format "key1=value1&key2=value2"
mystr="a=apple&b=boat&c=cat"
Step 4:
Append your merchant key (assigned to you by IOTPay during onboarding) "&key={your_merchant_key}" to the end of mystr
mystr+="&key={your_merchant_key}"
Step 5:
MD5 hash mystr
, then convert hash result into all UPPERCASE. This is your sign
sign = toUpper(md5(mystr));
Step 6:
Attach sign value to original request body
ex_body.sign = sign; // you can now send the signed request
// ex_body before sending request
{"a":"apple", "b":"boat", "c":"cat", "sign": "DAC619FA1BC9526EBDA688A9DC842B7A"};
Recommended: Use Sign Validator to confirm your sign result is correct
Step 7 (Conditional):
You may need to perform an addition step if you meet ALL of the following conditions:
You have completed steps 1-6 and are still getting sign validation error
subject
is present in request and is non-emptysubject
contains non UTF8 encoded charactersIf all of the following apply, you should url encode the contents of
subject
and overwrite the original value; as below:ex_body.subject = url_encode(ex_body.subject);
Step 8 (Conditional):
Repeat step 7 for body
field
Step 9:
Info
Skip this step if and only if the endpoint is for creditCard
After verifying that the sign value, json_encode
the json object and concatenate with param =
params={"a":"apple", "b":"boat", "c":"cat", "sign": "DAC619FA1BC9526EBDA688A9DC842B7A"}
Send the request with the header Content-Type: application/x-www-form-urlencoded