Home Security

Security

Signature Creation

When making requests, EpinTower API requires you to use a SIGNATURE field to confirm the authenticty of each process taking place. Without a properly constructed SIGNATURE you will get "Invalid signature" error and won't be able to make valid requests. To build a valid signature, please follow the steps below: (Written for PHP. For other languages sample codes will be added)

Step 1: Deciding the data to encrypt

For each endpoint, under its request parameters in the SIGNATURE section, string of data to be encrypted is listed. For this example, we will generate a signature for initializing a purchase.

    $clientId = "BA078F952DA3AA1B08141D22C69E11DA";
    $secretKey = "b1db2d4759e706079016fe7825e7ae18";
    $transactionId = "DF6649B8_9D57_53DF_2674_C768FE6DE0CB";

    //we concatinate the data as specified under related endpoints request parameters, in 'SIGNATURE' section
    $dataToEncrypt = $clientId.$secretKey.$transactionId;

Order of the variables MUST BE as specified under each endpoints SIGNATURE row under request parameters when concatinating.

Step 2: Encrypting the data

sha1 and bcrypt encryption algortihms are used as shown in the order below to build a signature string. As default, bcrypt uses 10 rounds to hash and its the default in Epintower API.

Other BCRYPT libraries you use may have 12 rounds as default for hashing. In that case, you should change it to 10

    // first, we encrypt the '$dataToEncrypt' with sha1
    $shaHash = sha1($dataToEncrypt);

    //then we encrypt 'shaHash' with bcrypt
    $bcryptHash = password_hash($shaEncryptedHash, PASSWORD_BCRYPT);

    $calculated_hash = $bcryptHash;

Step 3: Adding data in request

While making requests to any endpoint in Epintower API, add SIGNATURE: "<calculated_hash>" to request parameters.

Validating the response

After your request is made to EpinTower API, response data will be returned. Again, you should check the integrity of the response data as shown in the steps below:

Step 1: Acquiring the hash

Each endpoint will return a SIGNATURE parameter that includes a hash string.

    $responseHash = $_POST["SIGNATURE"];

Step 2: Generating a sha1 hash

We concatinate the data as specified under related endpoints response parameters, in 'SIGNATURE' section and encrypt it with sha1

    $clientId = "BA078F952DA3AA1B08141D22C69E11DA";
    $secretKey = "b1db2d4759e706079016fe7825e7ae18";
    $transactionId = "DF6649B8_9D57_53DF_2674_C768FE6DE0CB";

    //we concatinate the data as specified under related endpoints response parameters, in 'SIGNATURE' section
    $dataToEncrypt = $clientId.$secretKey.$transactionId;

    $shaHash = sha1($dataToEncrypt);

Step 3: Checking sha1 hash against response signature with bcrypt

In this step, we verify that Epintower API is the one who responds. As default, bcrypt uses 10 rounds to hash and its the default in Epintower API.

    if(password_verify(sha1($shaHash), $responseHash)){
        // verified!
    }