Signature Creation

Requests for interaction with the payment system shall be signed by using SHA256 algorithm.

To create a signature be required:

  1. In case of POST request, requestData request body is sorted alphabetically and encoded in BASE64

  2. In case of GET request, convert Query params to JSON. FROM: https://prapi.tarlanpayments.kz/transaction/api/v1/system/client/cards?merchant_id=123&project_id=124&project_client_id=999 TO: { "merchant_id" : 123, "project_client_id" : "999", "project_id" : 124} After conversion, sort alphabetically and encode in BASE64.

  3. Concatenate encoded request body (base64EncodedData) and secret (issued to the merchant by a payment insitution)

  4. Using hashing function SHA256 hash the obtained result (dataToSign)

  5. Add signature to the request header Authorization: Bearer sign

The entire request body is included in the signature, except for fields with an empty string value ""

The additional_data field is not involved in signature creating

curl --location 'https://prapi.tarlanpayments.kz/transaction/...' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ff1a38a78ccca1b313ae172307e49112066ec2f5a1dfa2a76110104da3012896'
--data-raw '{}'
<?php

$requestData = [
    "project_client_id" => "9999",
    "merchant_id" => 1,
    "project_id" => 1,
    "additional_data" => ["key" => "This should be excluded"]
];

$secret = "12345";

// Remove the "additional_data" field from the request data
unset($requestData["additional_data"]);

// Sort the request data by keys in alphabetical order
ksort($requestData);

// Encode the sorted request data to JSON
$sortedJson = json_encode($requestData, JSON_UNESCAPED_SLASHES);

// Encode the sorted JSON to base64
$base64EncodedData = base64_encode($sortedJson);

// Concatenate the base64-encoded data with the secret
$dataToSign = $base64EncodedData . $secret;

// Hash the result to SHA-256
$sha256Hash = hash("sha256", $dataToSign);

echo $sha256Hash;