Computing the Protocol Signature

Merchant Request Protocol Signing

Each request to the Intrapay system contains a signature (pSign). The signature is a SHA1 hash of the request parameters values concatenated and prefixed with the merchant passcode. The parameters values MUST be concatenated in their exact order (see description of each API method) and prefixed with the merchant passcode.

Please note that the pSign calculation will always use the EXACT values of the parameters needed, and NOT their urlencoded values!

A request with an incorrect pSign will be stopped immediately and won't be processed. This means that the returnURL/notifyURL will not be read for security reasons.

Example Scenario:

The Merchant is calling the API to execute a recurrent transaction (see corresponding section for parameters - "Recurring Transaction") in order to charge the previously saved customer's credit card with amount 100 in the corresponding card currency. Their internal Order ID is 13998, the Merchant ID is 34 and the Merchant Passcode is 1sd4#f@*7fd4. Also, the original transaction ID used for the recurring transaction as reference is 20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6.


Example of HTTPS call without the pSign:

[POST URL] https://payment.intrapay.com/transaction/recurrent

[POST PARAMS] merchantID=34&amount=100.00&orderID= 13998&transactionID=20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6


In order to calculate the pSign the merchant has to generate a string with all parameters concatenated in their exact listed order (see the table for each API method) and prefixed with the passcode. Therefore, the pSign string has to be composed as follows: 1sd4#f@*7fd4 + 34 + 100.00 + 13998 + 20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6.
So, in this example the result string is 1sd4#f@*7fd434100.001399820140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6

Then the SHA1 hash of the above string will be generated in order to obtain the pSign – fcdd511663ff60de6a7cfe0acb5fba01d402e938


Example of HTTPS call with the pSign:

[POST URL] https://payment.intrapay.com/transaction/recurrent

[POST PARAMS] merchantID=34&amount=100.00&orderID= 13998&transactionID=20140905-2CBBC34D822EAC4FB4B6-2C7D528CC5A57B925FD6 &pSign=fcdd511663ff60de6a7cfe0acb5fba01d402e938


The order of parameters specified in each API method table MUST be used in order to build a valid pSign for that specific call.