Sign a request and validate the signature
To ensure message transmission security, the Mobile Payment Provider (MPP) must properly perform message signing and signature validation:
- When calling an Alipay+ API, the MPP must sign the API request and validate the response signature accordingly. For more information, see Direction: MPP > Alipay+.
- When receiving an API call from Alipay+, the MPP must validate the request signature and sign the API response accordingly. For more information, see Direction: Alipay+ > MPP.
Direction: Mobile Payment Provider > Alipay+
This section introduces the MPP to Alipay+ API workflow.
Sign a request
The following steps demonstrate how to sign a request message:
1. Obtain your private key to sign the request
Get your private key ready, which is used to generate the signature later. In this topic, privateKey
is used to represent the private key.
2. Construct the content to be signed
Take a request as an example, which includes the following properties:
Request-URI
: /aps/api/v1/payments/payClient-Id
: TEST_5X00000000000000Request-Time
: 2019-05-28T12:12:12+08:00Request-Body
: The following code sample describes the body format. For example:
{
"order":{
"orderId":"OrderID_0101010101",
"orderDescription":"sample_order",
"orderAmount":{
"value":"100",
"currency":"JPY"
},
},
"paymentAmount":{
"value":"100",
"currency":"JPY"
},
"paymentFactor": {
"isInStorePayment": "true"
}
}
By complying with the Syntax of Content_To_Be_Signed, the content to be signed (Content_To_Be_Signed
) is created as follows:
POST /aps/api/v1/payments/pay
TEST_5X00000000000000.2019-05-28T12:12:12+08:00.{
"order":{
"orderId":"OrderID_0101010101",
"orderDescription":"sample_order",
"orderAmount":{
"value":"100",
"currency":"JPY"
},
},
"paymentAmount":{
"value":"100",
"currency":"JPY"
},
"paymentFactor": {
"isInStorePayment": "true"
}
}
Syntax of Content_To_Be_Signed
<HTTP-METHOD> <Request-URI>
<Client-Id>.<Request-Time>.<Request-Body>
HTTP-METHOD
: POSTRequest-URI
: The{endpoint}
part of the whole URLhttps://{host}{endpoint}
. For example:
- If the HTTP URL is
https://www.example.com/aps/api/v1/payments/pay
, this property is/aps/api/v1/payments/pay
.
Client-Id
: A unique ID that is assigned by Alipay+ to identify a Partner. You can get this field from the request header. For example,TEST_5X00000000000000
.Request-Time
: Specifies the time when a request is sent, as defined by ISO 8601.
Note: This field must be accurate to seconds. For example, 2019-05-28T12:12:12+08:00
and 2021-04-21T01:47:04Z
. You can get this field from the request header.
Request-Body
: The body of the request.
3. Calculate and generate the signature
Use the base64UrlEncode
and sha256withrsa
methods that involve the proper algorithm and private key to calculate and generate the signature.
generatedSignature=base64UrlEncode(sha256withrsa(<Content_To_Be_Signed>, <privateKey>))
Methods that are used:
sha256withrsa
: The method to generate a digital signature for the content provided.base64UrlEncode
: The method to encode the generated digital signature.
Input parameters:
Content_To_Be_Signed
: The content to be signed that is obtained in Step 2.privateKey
: The private key value that is obtained in Step 1.
The following code sample describes the generated signature (represented by generatedSignature
):
KrwDE9tAPJYBb4cUZU6ALJxGIZgwDXn5UkFPMip09n%2FkYKPhEIII%2Fki2rYY2lPtuKVgMNz%2BtuCU%2FjzRpohDbrOd8zYriiukpGAxBQDIVbatGI7WYOcc9YVQwdCR6ROuRQvr%2FD1AfdhHd6waAASu5Xugow9w1OW7Ti93LTd0tcyEWQYd2S7c3A73sHOJNYl8DC1PjasiBozZ%2FADgb7ONsqHo%2B8fKHsLygX9cuMkQYTGIRBQsvfgICnJhh%2BzXV8AQoecJBTrv6p%xxxx
4. Configure the signature in the request header
Assemble a signature string by using the following syntax:
'Signature: algorithm=<algorithm>, keyVersion=<key-version>, signature=<generatedSignature>'
algorithm
,keyVersion
: See the header of the Message structure chapter.generatedSignature
: The signature that is generated in Step 3.
The following sample describes an assembled signature string:
'Signature: algorithm=RSA256, keyVersion=0, signature=KrwDE9tAPJYBb4cUZU6ALJxGIZgwDXn5UkFPMip09n%2FkYKPhEIII%2Fki2rYY2lPtuKVgMNz%2BtuCU%2FjzRpohDbrOd8zYriiukpGAxBQDIVbatGI7WYOcc9YVQwdCR6ROuRQvr%2FD1AfdhHd6waAASu5Xugow9w1OW7Ti93LTd0tcyEWQYd2S7c3A73sHOJNYl8DC1PjasiBozZ%2FADgb7ONsqHo%2B8fKHsLygX9cuMkQYTGIRBQsvfgICnJhh%2BzXV8AQoecJBTrv6p%xxxx'
Then, add the signature string to the request header.
Send a request
Construct a request by adding the Client-Id
, Request-Time
, and Signature
fields to the request header. After a request is constructed, you can use common tools, such as cURL or Postman, to send the request. In the following example, cURL is used.
curl -X POST \
https://example.com/aps/api/v1/payments/pay \
-H 'Content-Type: application/json' \
-H 'Client-Id: TEST_5X00000000000000' \
-H 'Request-Time: 2019-05-28T12:12:12+08:00' \
-H 'Signature: algorithm=RSA256, keyVersion=0, signature=KrwDE9tAPJYBb4cUZU6ALJxGIZgwDXn5UkFPMip09n%2FkYKPhEIII%2Fki2rYY2lPtuKVgMNz%2BtuCU%2FjzRpohDbrOd8zYriiukpGAxBQDIVbatGI7WYOcc9YVQwdCR6ROuRQvr%2FD1AfdhHd6waAASu5Xugow9w1OW7Ti93LTd0tcyEWQYd2S7c3A73sHOJNYl8DC1PjasiBozZ%2FADgb7ONsqHo%2B8fKHsLygX9cuMkQYTGIRBQsvfgICnJhh%2BzXV8AQoecJBTrv6p%xxxx' \
-d '{
"order":{
"orderId":"OrderID_0101010101",
"orderDescription":"sample_order",
"orderAmount":{
"value":"100",
"currency":"JPY"
}
},
"paymentAmount":{
"value":"100",
"currency":"JPY"
},
"paymentFactor": {
"isInStorePayment": "true"
}
}'
Handle a response
After you receive a response, you need to validate the signature of the response. A response consists of a response header and a response body. The following examples show the header and body of a response:
- The response header sample
Client-Id: 5X00000000000000
Response-Time: 2019-05-28T12:12:14+08:00
Signature: algorithm=RSA256, keyVersion=0, signature=p9T2hXxIjek0UOLw3fwlthNsV6ATaioIvu8X1uFx8a9tE87d2XEhqylnf0KjifJ3WhCoMoklGwwlDS3tsSenwnL0Ha6BsXbJvUHRC5qcVlNy5Oq%2FpNqx2%2BKdwbw4eY7tZBDQhMKoaMVSbqbCb3eRBxxxx
- The response body sample
{
"result": {
"resultCode":"SUCCESS",
"resultStatus":"S",
"resultMessage":"success"
},
"paymentTime": "2019-05-28T12:12:13+08:00",
"paymentId":"1234567"
}
The following steps demonstrate how to validate a signature of a response by using the example above.
1. Obtain an Alipay+ public key
To get the Alipay+ public key, you must take the following steps:
- Create an application on Developer Center. For more information, see Create application in the Alipay+ Developer Center User Guide.
- Go to Settings, generate your public key with the provided tool, and submit your public key.
The Alipay+ public key is then generated automatically and can be obtained from the Alipay+ public key field.
Notes:
- Your public key in the sandbox environment must be different from the one in the production environment. Therefore, you must get the Alipay+ public keys for the sandbox environment and the production environment separately.
- For more information about getting the Alipay+ public keys for the sandbox environment, see Set a sandbox public key in the Alipay+ Developer Center User Guide.
- For more information about getting the Alipay+ public key for the production environment, see Set a production public key in the Alipay+ Developer Center User Guide.
2. Construct the content to be validated
Given the response body sample above, construct the content to be validated (Content_To_Be_Validated
) by complying with the Syntax of Content_To_Be_Validated as follows:
POST /aps/api/v1/payments/pay
TEST_5X00000000000000.2019-05-28T12:12:14+08:00.{
"result": {
"resultCode":"SUCCESS",
"resultStatus":"S",
"resultMessage":"success"
},
"paymentTime": "2019-05-28T12:12:13+08:00",
"paymentId":"1234567"
}
Syntax of Content_To_Be_Validated
<HTTP-METHOD> <Response-URI>
<Client-Id>.<Response-Time>.<Response-Body>
HTTP-METHOD
: POSTResponse-URI
: The URI of an HTTP link. For example, if the URL ishttps://example.com/aps/api/v1/payments/pay
, this field is/aps/api/v1/payments/pay
.Client-Id
: A unique ID that is assigned by Alipay+ to identify a Partner. You can get this field from the response header. For exampleTEST_5X00000000000000
.Response-Time
: Indicates the time when a response is returned, as defined by ISO 8601. Note: This field must be accurate to seconds. You can get this field from the response header.Response-Body
: Indicates the body of the response.
3. Get the signature from the response header
The target signature string ( target_signature
) is extracted from the Signature
header of the response. For details about the response header, see the chapter Message structure.
Signature: algorithm=RSA256, keyVersion=0, signature=<target_signature>
4. Validate the signature
Use the sha256withrsa_verify
method to validate the signature of the response.
The syntax of the sha256withrsa_verify
method is as follows:
IS_SIGNATURE_VALID=sha256withrsa_verify(base64UrlDecode(<target_signature>), <Content_To_Be_Validated>, <serverPublicKey>)
Methods:
base64UrlDecode
: The method to decode the signature.sha256withrsa_verify
: The method to verify the signature.
Input parameters:
target_signature
: The target signature that is obtained in Step 3.Content_To_Be_Validated
: The content to be validated, which is created in Step 2.serverPublicKey
: The platform public key that is obtained in Step 1.
Output parameter:
IS_SIGNATURE_VALID
: A Boolean value that specifies whether the signature is valid.
true
: The signature is valid.false
: The signature is not valid. Possible causes are that the private key and the public key do not match, orContent_To_Be_Validated
is not correctly constructed.
Direction: Alipay+ > Mobile Payment Provider
This section introduces the Alipay+ to MPP API workflow.
Handle a request
After you receive a request from Alipay+, you need to validate the signature of the request. The process is similar to the process introduced in Handle a response. To validate the signature, complete the following steps:
- Obtain the Alipay+ public key, which is used to validate the request signature.
- Construct the
Content_To_Be_Validated
, which is:
<HTTP-METHOD> <Request-URI>
<Client-Id>.<Request-Time>.<Request-Body>
Note: The
Request-URI
is the endpoint of your API path. For example, when Alipay+ sends a pay request to the API pathhttps://www.sampleMPP.com/aaa/bbb/ccc
, theRequest-URI
is/aaa/bbb/ccc
.
- Get the signature from the request header.
- Validate the signature.
Sign a response
You must sign your response before sending it to Alipay+. The process is similar to the process introduced in Sign a request. To sign your response, complete the following steps:
- Use your private key to sign the response.
- Construct the content to be signed, which is:
<HTTP-METHOD> <Response-URI>
<Client-Id>.<Response-Time>.<Response-Body>
HTTP-METHOD
: POSTResponse-URI
: TheResponse-URI
is the endpoint of your API path. For example, when you respond to Alipay+'s pay request, whose API path ishttps://www.sampleMPP.com/aaa/bbb/ccc
, theResponse-URI
is/aaa/bbb/ccc
.Client-Id
: A unique ID that is assigned by Alipay+ to identify a Partner. You can get this field from the response header. For example,TEST_5X00000000000000
.Response-Time
: Specifies the time when a request is sent, as defined by ISO 8601.
Note: This field must be accurate to seconds. For example, 2019-05-28T12:12:14+08:00
. You can get this field from the response header.
Response-Body
: The body of the request.
For example:
POST /aaa/bbb/ccc
TEST_5X00000000000000.2019-05-28T12:12:14+08:00.{
"result": {
"resultCode":"SUCCESS",
"resultStatus":"S",
"resultMessage":"success"
},
"paymentId":"201000000000000000000000004444",
"paymentTime": "2020-01-01T12:01:01+08:30",
"customerId":"2160000000000001"
}
- Calculate and generate the signature.
- Configure the signature in the response header.
Send a response
Construct a response by adding the Client-Id
, Response-Time
, and Signature
fields to the response header. After a response is constructed, you can use common tools, such as cURL or Postman, to send the response. The process is similar to the process introduced in Send a request.
In the following example, cURL is used:
curl -X POST \
https://www.sampleMPP.com/aaa/bbb/ccc \
-H 'Content-Type: application/json' \
-H 'Client-Id: TEST_5X00000000000000' \
-H 'Response-Time: 2019-05-28T12:12:14+08:00' \
-H 'Signature: algorithm=RSA256, keyVersion=0, signature=sampleSignature***' \
-d '{
"result": {
"resultCode":"SUCCESS",
"resultStatus":"S",
"resultMessage":"success"
},
"paymentId":"201000000000000000000000004444",
"paymentTime": "2020-01-01T12:01:01+08:30",
"customerId":"2160000000000001"
}'