Skip to main content

Secure Data Transmission

Overview

To safeguard against unauthorized access and potential attacks during transmission, Zalopay employs two techniques: HMAC and Digital signature to ensure the integrity and authenticity of its data.

HMAC

Zalopay utilizes the HMAC technique in the mac field when clients make requests via APIs or receive requests via callbacks from Zalopay, as well as the checksum field of redirect, in order to enhance the security of data transmission. This technique is considered the primary method for ensuring secure data transmission at Zalopay.

There are 3 parts to notice:

  • Algorithm: This is configured by the merchant. The default is the SHA-256 algorithm.
  • Data: It's created by joining necessary data with | character. Please refer to API's specification to know how to create this correctly.
  • key: Upon successful registration of your merchant account, we will provide you with two keys: key1 and key2. key1 is utilized when making a request to Zalopay, and key2 is used when receiving callback or redirect requests from Zalopay.

Here is an example with CreateOrderAPI:

import CryptoJS from "crypto-js";
{...}

const order = {
  // request data //
}

const data = [
  order.app_id,
  order.app_trans_id,
  order.app_user,
  order.amount,
  order.app_time,
  order.embed_data,
  order.item].join("|");
order.mac = CryptoJS.HmacSHA256(data, configZLP.key1).toString();

// Make request with order object //

Digital signature

The main distinction between HMAC and digital signature lies in the fact that HMAC employs a shared secret key for both creating and verifying, whereas digital signature uses a pair of public-private keys. The private key is used for signature creation, and the public key is utilized for verification. The client is responsible for storing the private key, while Zalopay stores the public key.

This technique is used at the sig field when making a request to Zalopay for example TopUpAPI.

There are 3 parts to notice:

  • Algorithm: Zalopay uses the RSA algorithm.
  • Data: Depend on your APIs. Please refer to API's specification to know how to create this correctly.
  • key: This is the private key that is provided when you registered the merchant account.

Here is an example with TopUpAPI

import CryptoJS from "crypto-js";
import rsa from "node-rsa"
//...//

const request = {
  // request data 
}

const message = [
  request.appId,
  request.paymentId,
  request.partnerOrderId,
  request.mUId,
  request.amount,
  request.description,
  request.partnerEmbedData,
  request.extraInfo,
  request.time].join("|");
const mac = crypto.HmacSHA256(message, configZLP.key1).toString();

// The input of the data signature for TopUpAPI is the mac variable
const msg = Buffer.from(mac);

// Get the private key which is provided by Zalopay
const privateKey = Buffer.from(configZLP.secretKey);

const rsaInstance = new rsa(privateKey, 'pkcs8');
const signature = rsaInstance.sign(msg, 'base64', 'utf8');

request.sig = signature
// Call TopUpAPI with request object //
Last updated on