Introduction
Environmental Information
| type | value |
|---|---|
| Test or Production environment API address | Please contact the operation staff |
| TimeZone | GMT+3 |
API Signature Specification
API Signature Specification
Note that this specification applies to API access in all countries.
Request Method
All API interfaces of Cashy are POST requests.
Request Header
| Parameter | Required | Type | Description |
|---|---|---|---|
Content-Type | Y | string | application/json |
MerchantId | Y | int | MerchantId, generated by Cashy and provided to you |
Sign | Y | string | Request signature, see below for signature mechanism |
Response Body
{
"code": 200,
"msg": "SUCCESS",
"data": {}
}| Parameter | Type | Description |
|---|---|---|
| code | int | Response code, 200 is successful |
| msg | string | Response message |
| data | object | Response data |
TIP
Note that when the code is 200, the request is successful. Other cases are request failures. pls refer to the msg field for specific failure reasons (can be found in the appendix of each country document).
Signature Mechanism
To ensure transaction security and API call security, Cashy will perform signature verification on all interface requests, and you need to sign all requests for Cashy to confirm your identity.
Before accessing, Cashy will assign the MerchantId and merchant apiKey of the merchant sandbox environment to the merchant. The merchant apiKey is used for signature, and the MerchantId is used to identify the merchant's identity.
TIP
- When merchants request Cashy's API interface, they should pass the merchant ID through the request header
MerchantIdfield. - When merchants request Cashy's API interface, they should use the MD5 digest algorithm to sign the request, and the signature is passed through the Sign field of the request header.
Merchants can follow the steps below to generate a request signature.
- Splice the request package body and merchant apiKey.
content=request package body+apiKey - Calculate the signature through the Md5 digest algorithm.
signature=MD5(content) - Pass the signature through the Sign field of the request header.
Asynchronous callback signature verification
When Cashy sends you an asynchronous callback notification, it will sign the callback request according to the above mechanism. After you receive the asynchronous callback notification, you need to verify the callback request to confirm that the callback request is indeed from Cashy.
- Calculate the signature According to the signature mechanism, get the complete package body of the Cashy asynchronous callback notification and your merchant key spliced, calculate the MD5, and get the signature value.
- Verify the signature Compare the signature value of the
Signfield in the Cashy asynchronous callback request header with the signature value you calculated. If they are the same, the signature verification is passed, otherwise the signature verification fails.
DANGER
We strongly recommend that you: When processing asynchronous callback notifications from Cashy, you must verify the signature, which can maximize the security of your funds.
Signature/Verification Code Example
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
public class DocsMerchantSignUtils {
public static void main(String[] args) {
String merchantId = "112345678";
String apiKey = "K-xxxxxxxxxx";
String httpRequestBody = "{\"orderNumber\":\"P123456\"}";
// Sign
String sign = DocsMerchantSignUtils.sign(httpRequestBody, apiKey);
System.out.println(sign);
// Verify Sign
System.out.println(DocsMerchantSignUtils.verifySign(sign, httpRequestBody, apiKey));
}
/**
* @param content content
* @param secretKey secretKey
* @return String sign
*/
public static String sign(String content, String secretKey) {
String signStr = content + secretKey;
MessageDigest md = null;
try {
md = MessageDigest.getInstance("MD5");
md.update(signStr.getBytes());
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
return byte2HexString(md.digest());
}
/**
* @param sign sign
* @param content content
* @param secretKey secretKey
* @return verify result
*/
public static boolean verifySign(String sign, String content, String secretKey) {
return sign.equalsIgnoreCase(sign(content, secretKey));
}
/**
* @param data data
* @return String
*/
private static String byte2HexString(byte[] data) {
final char[] alphabets = "0123456789ABCDEF".toCharArray();
int len = data.length;
char[] res = new char[len << 1];
int i = 0;
for (int j = 0; i < len; ++i) {
res[j++] = alphabets[(240 & data[i]) >>> 4];
res[j++] = alphabets[15 & data[i]];
}
return new String(res);
}
}package main
import (
"crypto/md5"
"fmt"
)
func Md5UtilsHash(bodyJson, apiKey string) string {
data := []byte(bodyJson + apiKey)
has := md5.Sum(data)
md5str1 := fmt.Sprintf("%x", has) //Convert []byte to decimal
return md5str1
}
func main() {
body := "{\"test\":\"test\"}"
apiKey := "Your merchant key"
sign := Md5UtilsHash(body, apiKey)
fmt.Println(sign)
}<?php
function md5UtilsHash($bodyJson, $apiKey) {
$data = $bodyJson . $apiKey;
$md5str1 = md5($data);
return $md5str1;
}
$body = "{\"test\":\"test\"}"; // RequestBody
$apiKey = 'K-xxxxxxx'; // ApiKey
$sign = md5UtilsHash($body, $apiKey);
echo $sign;import hashlib
def md5_utils_hash(body_json, api_key):
data = body_json + api_key
md5_hash = hashlib.md5(data.encode()).hexdigest()
return md5_hash
body = "{\"test\":\"test\"}" # RequestBody
api_key = 'K-xxxxxxx' # ApiKey
sign = md5_utils_hash(body, api_key)
print(sign)