Computing the Protocol Signature
Merchant Request Protocol Signing
Each request to the Intrapay system contains a signature (pSign). The signature is a SHA1 hash of the request parameters values concatenated and prefixed with the merchant passcode. The parameters values MUST be concatenated in their exact order (see description of each API method) and prefixed with the merchant passcode.
Please note that the pSign calculation will always use the EXACT values of the parameters needed, and NOT their urlencoded values!
A request with an incorrect pSign will be stopped immediately and won't be processed. This means that the returnURL/notifyURL will not be read for security reasons.
The Merchant is calling the API to execute a recurrent transaction (see corresponding section for parameters - "Recurring Transaction") in order to charge the previously saved customer's credit card with amount 100 in the corresponding card currency. Their internal Order ID is 13998, the Merchant ID is 34 and the Merchant Passcode is 1sd4#f@*7fd4. Also, the original transaction ID used for the recurring transaction as reference is 20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6.
Example of HTTPS call without the pSign:
[POST PARAMS] merchantID=34&amount=100.00&orderID= 13998&transactionID=20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6
In order to calculate the pSign the merchant has to generate a string with all parameters concatenated in their exact listed order (see the table for each API method) and
prefixed with the passcode. Therefore, the pSign string has to be composed as follows: 1sd4#f@*7fd4 + 34 +
100.00 + 13998 + 20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6.
So, in this example the result string is 1sd4#f@*7fd434100.001399820140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6
Then the SHA1 hash of the above string will be generated in order to obtain the pSign – fcdd511663ff60de6a7cfe0acb5fba01d402e938
Example of HTTPS call with the pSign:
[POST PARAMS] merchantID=34&amount=100.00&orderID= 13998&transactionID=20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6 &pSign=fcdd511663ff60de6a7cfe0acb5fba01d402e938
The order of parameters specified in each API method table MUST be used in order to build a valid pSign for that specific call.