Developers

Authentication

Secure authentication is crucial when integrating with the Checkout API. The API uses RSA public/private key pairs to sign requests and verify responses, ensuring data integrity and authenticity.

Signature and Public/Private Key Pairs

Digital signatures ensure the reliability and authenticity of API data. Each merchant (qualified API caller) is assigned a StoreID by myPOS. API access is authenticated using the StoreID and an RSA signature.

How Signatures Are Calculated

  1. Concatenate all POST request data (except the Signature property) with dashes (-).
  2. Base64 encode the resulting string.
  3. Sign the encoded string with your private RSA key using the SHA-256 algorithm.
  4. Base64 encode the signature.
  5. Add the signature as the Signature property in the POST request.
  6. The receiver (myPOS or merchant) repeats the concatenation and encoding, then verifies the signature using the sender's public key.

Important: Merchants should always verify the signature when receiving a call from myPOS Web Checkout!

Key Exchange and Security

  • Merchants and myPOS must exchange RSA keys before making API calls.
  • RSA key length must be 2048 bits.
  • Merchants use their private key to sign API requests; myPOS verifies with the merchant’s public key.
  • myPOS signs API responses; merchants should verify with myPOS’s public key.
  • Both parties generate public/private key pairs and exchange public certificates (PEM-encoded PKCS7 files).
  • Each message is signed, and the receiver authenticates the sender using the public certificate.
  • myPOS provides a unique public certificate for each online store.
  • Merchants can generate and manage multiple public certificates, each with a key index.
  • myPOS public certificates can be downloaded from the merchant portal.

RSA Key Pair

An RSA key pair consists of a private key (for signing) and a public key (for verifying signatures).

Generating an RSA Key Pair

You can generate a key pair using the onsite generator during the integration process:

  1. Select the custom integration method in the setup wizard.
  2. Click Generate Pair Keys.
  3. Copy the keys into your code as parameters for signature generation.

Configuration Pack

For easier setup, you can use a Configuration pack. This combines all mandatory settings—Key pair, Key Index, Store ID, and Client number—into a single string. Using the configuration pack saves time and ensures all settings are correct.

Signature Examples

Example

<?php

// The POST data array
$postData = array('IPCmethod'=>'IPCPurchase', ............); 

// This is an example of RSA private key
$privKey = '-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCf0TdcTuphb7X+Zwekt1XKEWZDczSGecfo6vQfqvraf5VPzcnJ
2Mc5J72HBm0u98EJHan+nle2WOZMVGItTa/2k1FRWwbt7iQ5dzDh5PEeZASg2UWe
hoR8L8MpNBqH6h7ZITwVTfRS4LsBvlEfT7Pzhm5YJKfM+CdzDM+L9WVEGwIDAQAB
AoGAYfKxwUtEbq8ulVrD3nnWhF+hk1k6KejdUq0dLYN29w8WjbCMKb9IaokmqWiQ
5iZGErYxh7G4BDP8AW/+M9HXM4oqm5SEkaxhbTlgks+E1s9dTpdFQvL76TvodqSy
l2E2BghVgLLgkdhRn9buaFzYta95JKfgyKGonNxsQA39PwECQQDKbG0Kp6KEkNgB
srCq3Cx2od5OfiPDG8g3RYZKx/O9dMy5CM160DwusVJpuywbpRhcWr3gkz0QgRMd
IRVwyxNbAkEAyh3sipmcgN7SD8xBG/MtBYPqWP1vxhSVYPfJzuPU3gS5MRJzQHBz
sVCLhTBY7hHSoqiqlqWYasi81JzBEwEuQQJBAKw9qGcZjyMH8JU5TDSGllr3jybx
FFMPj8TgJs346AB8ozqLL/ThvWPpxHttJbH8QAdNuyWdg6dIfVAa95h7Y+MCQEZg
jRDl1Bz7eWGO2c0Fq9OTz3IVLWpnmGwfW+HyaxizxFhV+FOj1GUVir9hylV7V0DU
QjIajyv/oeDWhFQ9wQECQCydhJ6NaNQOCZh+6QTrH3TC5MeBA1Yeipoe7+BhsLNr
cFG8s9sTxRnltcZl1dXaBSemvpNvBizn0Kzi8G3ZAgc=
-----END RSA PRIVATE KEY-----'; 

// You need to concatenate all values from $postData and to Base64-encode the result
$concData = base64_encode(implode('-', $postData)); 
$privKeyObj = openssl_get_privatekey($privKey);

// Signed data in binary
openssl_sign($concData, $signature, $privKeyObj, OPENSSL_ALGO_SHA256); 

// Base64 encoding of the signature
$signature = base64_encode($signature); 

// Now you need to add the signature to the POST request
$postData['Signature'] = $signature; 
openssl_free_key($privKeyObj);

?>

Signature Verification Example

<?php

// Save POST request data in var $data
$data = $_POST;

// myPOS certificate
$cert = '-----BEGIN CERTIFICATE-----
MIIBkDCB+qADAgECAgAwDQYJKoZIhvcNAQEFBQAwDzENMAsGA1UEChMEaVBheTAe
Fw0xMzAzMTMxMTI1MTFaFw0yMzAzMTExMTI1MTFaMA8xDTALBgNVBAoTBGlQYXkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAML+VTmiY4yChoOTMZTXAIG/mk+x
f/9mjwHxWzxtBJbNncNK0OLI0VXYKW2GgVklGHHQjvew1hTFkEGjnCJ7f5CDnbgx
evtyASDGst92a6xcAedEadP0nFXhUz+cYYIgIcgfDcX3ZWeNEF5kscqy52kpD2O7
nFNCV+85vS4duJBNAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAFSfqJHH9Vp9Y4osJ
sLg1Um5LOoTgn6u4JepHMFoSiwYE0n/N3D3JIgqAzjdVJ+1rZV95VAf/+TKzWzvP
V8L01LJ8aRFkUaPGenVsGvBT2mtsbu34QUOlPgzCi3huidwk0ylMX7zo8uxu1cXv
/bg5jBGe5SjvJP8Tq257QcAGgkA=
-----END CERTIFICATE-----';

// Save signature
$signature = $data['Signature'];
// Remove signature from POST data array
unset($data['Signature']);
// Concatenate all values
$concData = base64_encode(implode('-', $data));

// Extract public key from certificate
$pubKeyId = openssl_get_publickey($cert);

// Verify signature
$res = openssl_verify($concData, base64_decode($signature), $pubKeyId, OPENSSL_ALGO_SHA256);
//Free key resource
openssl_free_key($pubKeyId);

if ($res == 1) {
	//success
} else {
	//not success
}

?>