Skip to main content
Version: v2

Authentication

A merchant platform must identify itself by sending its assigned Merchant Account ID in the X-Merchant-Account-ID header value with every Checkout request.

tip

Contact your PayJustNow account manager to provide you with your Merchant Account ID and Merchant Account API Key for the environment you are integrating with. You will need these in order to obtain a secret signing key.

In addition to the above, every request also requires a calculated signature to be sent in the X-Signature header value.

Signature Algorithm

The signature to be calculated is the base64 encoded output of the HMAC-SHA256 encryption of the request body payload with all whitespace (including tabs, newlines, etc.) removed and then signed with a secret signing key.

See the Installation document on how to configure the gateway settings and obtain a secret signing key.

This is an example of a method that can valid signatures for a given payload based on this algorithm:

/src/authentication.ts
      import * as crypto from 'crypto';      var bufferEq = require('buffer-equal-constant-time');
      /**       * Validates a signature for a payload       * @param payload // {"json":"body payload of the request"}       * @param secret_signing_key // b9d9d345-2f99-4db9-86c7-ef52509dc29c       * @param signature_to_validate // 60brkjy0NWMql+ljwLE5pq4c+eXbzD8C+uMyzgcoIcA=       * @returns boolean of signature valid or not // true       */      export function validateSignature(payload : string, secret_signing_key: string, signature_to_validate: any) {        var hmac = crypto.createHmac('sha256', secret_signing_key);        hmac.write(payload.replace(/\s/g,''));        hmac.end()        var sig = hmac.read();        return bufferEq(Buffer.from(sig.toString('base64')), Buffer.from(signature_to_validate));      }

Failing a valid X-Merchant-Account-ID and X-Signature combination for a request the API will respond with a HTTP 401 status code.

Here is an example of a request that includes valid X-Merchant-Account-ID and X-Signature header values:

POST /v2/createX-Signature: Aqs1X5sCW+r2XHw7wAE9XYWSeb8mNznlw/cB94xOKBc=X-Merchant-Account-ID: 1Content-Type: application/jsonAccept: */*Host: sandbox-checkout.payjustnow.ioAccept-Encoding: gzip, deflate, brConnection: keep-aliveContent-Length: 670
{  "payjustnow": {    "merchantOrderReference": "A26615830",    "orderAmountCents": 240000,    "orderItems": [      {        "name": "UGG Boots Purple Size 6",        "sku": "UGG-BB-PUR-06",        "quantity": 2,        "priceCents": 120000,        "imageUrl": "https://merchantstore.com/uggboots/purp6.jpeg",        "pageUrl": "https://merchantstore.com/uggboots",        "searchTerms": [          "ugg",          "boots",          "purple"        ]      }    ],    "confirmRedirectUrl": "https://storefront.com/order/3dje30",    "cancelRedirectUrl": "https://storefront.com/order/3dje30"  },  "checkoutTotalCents": 240000}
tip

On our Sandbox environment only, a 401 response will also include the expected signature in the response body to aid in testing.