Skip to content

Introduction

Environmental Information

typevalue
Test or Production environment API addressPlease contact the operation staff
TimeZoneGMT+8

API Signature Specification

API Signature Specification

Note that this specification applies to API access in all countries.

Request Method

All API interfaces of Cashy are POST requests.

Request Header

ParameterRequiredTypeDescription
Content-TypeYstringapplication/json
MerchantIdYintMerchantId, generated by Cashy and provided to you
SignYstringRequest signature, see below for signature mechanism

Response Body

json
{
  "code": 200,
  "msg": "SUCCESS",
  "data": {}
}
ParameterTypeDescription
codeintResponse code, 200 is successful
msgstringResponse message
dataobjectResponse data

TIP

Note that when the code is 200, the request is successful. Other cases are request failures. pls refer to the msg field for specific failure reasons (can be found in the appendix of each country document).

Signature Mechanism

To ensure transaction security and API call security, Cashy will perform signature verification on all interface requests, and you need to sign all requests for Cashy to confirm your identity.

Before accessing, Cashy will assign the MerchantId and merchant apiKey of the merchant sandbox environment to the merchant. The merchant apiKey is used for signature, and the MerchantId is used to identify the merchant's identity.

TIP

  • When merchants request Cashy's API interface, they should pass the merchant ID through the request header MerchantId field.
  • When merchants request Cashy's API interface, they should use the MD5 digest algorithm to sign the request, and the signature is passed through the Sign field of the request header.

Merchants can follow the steps below to generate a request signature.

  1. Splice the request package body and merchant apiKey. content=request package body+apiKey
  2. Calculate the signature through the Md5 digest algorithm. signature = MD5(content)
  3. Pass the signature through the Sign field of the request header.

Asynchronous callback signature verification

When Cashy sends you an asynchronous callback notification, it will sign the callback request according to the above mechanism. After you receive the asynchronous callback notification, you need to verify the callback request to confirm that the callback request is indeed from Cashy.

  1. Calculate the signature According to the signature mechanism, get the complete package body of the Cashy asynchronous callback notification and your merchant key spliced, calculate the MD5, and get the signature value.
  2. Verify the signature Compare the signature value of the Sign field in the Cashy asynchronous callback request header with the signature value you calculated. If they are the same, the signature verification is passed, otherwise the signature verification fails.

DANGER

We strongly recommend that you: When processing asynchronous callback notifications from Cashy, you must verify the signature, which can maximize the security of your funds.

Signature/Verification Code Example

java
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

public class DocsMerchantSignUtils {

    public static void main(String[] args) {
        String merchantId = "112345678";
        String apiKey = "K-xxxxxxxxxx";

        String httpRequestBody = "{\"orderNumber\":\"1386556787811426305\"}";

        // Sign
        String sign = DocsMerchantSignUtils.sign(httpRequestBody, apiKey);
        System.out.println(sign);
        // Verify Sign
        System.out.println(DocsMerchantSignUtils.verifySign(sign, httpRequestBody, apiKey));
    }

    /**
     * @param content   content
     * @param secretKey secretKey
     * @return String  sign
     */
    public static String sign(String content, String secretKey) {
        String signStr = content + secretKey;
        MessageDigest md = null;
        try {
            md = MessageDigest.getInstance("MD5");
            md.update(signStr.getBytes());
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
        return byte2HexString(md.digest());
    }


    /**
     * @param sign      sign
     * @param content   content
     * @param secretKey secretKey
     * @return verify result
     */
    public static boolean verifySign(String sign, String content, String secretKey) {
        return sign.equalsIgnoreCase(sign(content, secretKey));
    }

    /**
     * @param data data
     * @return String
     */
    private static String byte2HexString(byte[] data) {
        final char[] alphabets = "0123456789ABCDEF".toCharArray();
        int len = data.length;
        char[] res = new char[len << 1];
        int i = 0;
        for (int j = 0; i < len; ++i) {
            res[j++] = alphabets[(240 & data[i]) >>> 4];
            res[j++] = alphabets[15 & data[i]];
        }
        return new String(res);
    }
}
go
package main

import (
 "crypto/md5"
 "fmt"
)

func Md5UtilsHash(bodyJson, apiKey string) string {
 data := []byte(bodyJson + apiKey)
 has := md5.Sum(data)
 md5str1 := fmt.Sprintf("%x", has) //Convert []byte to decimal
 return md5str1
}

func main() {
 body := "{\"test\":\"test\"}"
 apiKey := "Your merchant key"
 sign := Md5UtilsHash(body, apiKey)
 fmt.Println(sign)
}
php
<?php
function md5UtilsHash($bodyJson, $apiKey) {
    $data = $bodyJson . $apiKey;
    $md5str1 = md5($data);
    return $md5str1;
}
$body = "{\"test\":\"test\"}"; // RequestBody
$apiKey = 'K-xxxxxxx'; // ApiKey
$sign = md5UtilsHash($body, $apiKey);
echo $sign;
python
import hashlib
def md5_utils_hash(body_json, api_key):
    data = body_json + api_key
    md5_hash = hashlib.md5(data.encode()).hexdigest()
    return md5_hash
body = "{\"test\":\"test\"}" # RequestBody
api_key = 'K-xxxxxxx'  # ApiKey
sign = md5_utils_hash(body, api_key)
print(sign)

Released under the MIT License.