Access to API

Learn to authenticate API requests and fix validation errors effectively

Understand the Solidgate validation and authentication process for API requests to gain access to the API and handle validation error messages effectively. Obtain the required credentials, including public and secret keys, and follow the signature creation and webhook validation steps to enable secure payment processing, proper authentication, and error management.

Retrieve your credentials

To start accepting payments, even in the sandbox environment, you’ll require credentials. These credentials are two Public ( publicKey ) and Secret ( secretKey ) keys, which should be applied for direct API calls and to check the webhook signature.

Obtain the keys from the personal account in the HUB by navigating to the Developers section and then proceeding to the Channel details page of the specific Channel:

API keys have the prefix api_pk_/api_sk_
Webhook keys have the prefix wh_pk_/wh_sk_

Public Key and Secret Key shall be applied to calculate the signature. The signature allows for verifying both the source and the integrity of the request details transmitted between the merchant and gateway.

Generate signature

The signature value is a base64-encoded string, which is a hexadecimal representation of the SHA-512 hash function. The encryption key utilized for this is the Secret Key. And for signature data, use the following string publicKey + jsonString + publicKey

For GET requests, which do not have a body, the signature data must simply be publicKey + publicKey

Parameter	Description	Test Data
publicKey	Public Key.	api_pk_8f8a8k8e8k8e8y8
jsonString	Request body in JSON string.	{"amount": "100", "currency": "USD"}
secretKey	Secret Key.	api_sk_8f8a8k8e8k8e8y8
*Both Public Key and Secret Key are provided at the moment of merchant registration and are used for signature generation. These keys play a vital role in generating secure signatures for authentication and verification purposes.

The generateSignature function takes the data and a secret key as parameters.
Generate the HMAC-SHA512 hash using the secret key and data.
Get the hexadecimal representation of the hash.
Encode hexadecimal representation of the hash directly to Base64.

Expected signature with test data
MjFkZGE3ZTZjODc0YjY5YTczOTlmOTBlYjk0MDY1NThiODJiZmE3ZTgxOGJjMWUxYjNkNTFjMDNjZmUzOGRlMTBhZGEzMmYxMGY3NTBlOTBlMGZkNDUwZTRiNmI5YTBiYTVmZWM5NzcxMjU3OWM0MGU5Mzg1NTljOTE1NTVlNzA=

PHP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


<?php
class SignatureGenerator
{
        public static function generateSignature(string $publicKey, string $jsonString, string $secret_key): string
    {
        $text = $publicKey . $jsonString . $publicKey;
        $hashedBytes = hash_hmac('sha512', $text, $secret_key);
        return base64_encode($hashedBytes);
    }
    public static function main(array $args): void
    {
        $public_key = 'api_pk_8f8a8k8e8k8e8y8';
        $json_string = '{"amount": "100", "currency": "USD"}';
        $secret_key = 'api_sk_8f8a8k8e8k8e8y8';
        $signature = self::generateSignature($public_key, $json_string, $secret_key);
        echo $signature . "\n";
    }    
}

SignatureGenerator::main([]);

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


package main

import (
    "crypto/hmac"
    "crypto/sha512"
    "encoding/base64"
    "encoding/hex"
    "fmt"
)

func generateSignature(publicKey, jsonString, secretKey string) string {
    data := publicKey + jsonString + publicKey
    h := hmac.New(sha512.New, []byte(secretKey))
    h.Write([]byte(data))
    return base64.StdEncoding.EncodeToString([]byte(hex.EncodeToString(h.Sum(nil))))
}

func main() {
    publicKey := "api_pk_8f8a8k8e8k8e8y8"
    jsonString := `{"amount": "100", "currency": "USD"}`
    secretKey := "api_sk_8f8a8k8e8k8e8y8"
    signature := generateSignature(publicKey, jsonString, secretKey)
    fmt.Println(signature)
}

Kotlin

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


package com.solidgate.examples

// https://mvnrepository.com/artifact/com.google.guava/guava
import com.google.common.hash.Hashing
import java.nio.charset.StandardCharsets
import java.util.Base64

class SignatureGenerator {
    companion object {
        fun generateSignature(publicKey: String, jsonString: String, secretKey: String): String {
            val text = publicKey + jsonString + publicKey
            val hashedBytes = Hashing.hmacSha512(secretKey.toByteArray())
                .hashString(text, StandardCharsets.UTF_8).toString().toByteArray()
            return Base64.getEncoder().encodeToString(hashedBytes)
        }
    }
}

fun main() {
    val publicKey = "api_pk_8f8a8k8e8k8e8y8"
    val jsonString = "{\"amount\": \"100\", \"currency\": \"USD\"}"
    val secretKey = "api_sk_8f8a8k8e8k8e8y8"
    val signature = SignatureGenerator.generateSignature(publicKey, jsonString, secretKey)
    println(signature)
}

Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


import hashlib
import hmac
import base64

def generateSignature(public_key, json_string, secret_key):
    data = public_key + json_string + public_key
    hmac_hash = hmac.new(secret_key.encode('utf-8'), data.encode('utf-8'), hashlib.sha512).digest()
    return base64.b64encode(hmac_hash.hex().encode('utf-8')).decode('utf-8')

public_key = "api_pk_8f8a8k8e8k8e8y8"
json_string = "{\"amount\": \"100\", \"currency\": \"USD\"}"
secret_key = "api_sk_8f8a8k8e8k8e8y8"

signature = generateSignature(public_key, json_string, secret_key)
print(signature)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


using System;
using System.Security.Cryptography;
using System.Text;

public class SignatureGenerator {
    
    public static string GenerateSignature(string publicKey, string jsonString, string secretKey) {
        string data = publicKey + jsonString + publicKey;
        byte[] secretKeyBytes = Encoding.UTF8.GetBytes(secretKey);
        byte[] dataBytes = Encoding.UTF8.GetBytes(data);
        using (var hmac = new HMACSHA512(secretKeyBytes)) {
            byte[] hashBytes = hmac.ComputeHash(dataBytes);
            string hexHash = BitConverter.ToString(hashBytes).Replace("-", "").ToLower();
            byte[] base64Bytes = Encoding.UTF8.GetBytes(hexHash);
            string base64Signature = Convert.ToBase64String(base64Bytes);
            return base64Signature;
        }
    }
    
    public static void Main(string[] args) {
        string publicKey = "api_pk_8f8a8k8e8k8e8y8";
        string jsonString = "{\"amount\": \"100\", \"currency\": \"USD\"}";
        string secretKey = "api_sk_8f8a8k8e8k8e8y8";
        string signature = SignatureGenerator.GenerateSignature(publicKey, jsonString, secretKey);
        Console.WriteLine(signature);
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


const crypto = require('crypto');

function generateSignature(publicKey, jsonString, secretKey) {
	const data = publicKey + jsonString + publicKey;
	const hmac = crypto.createHmac('sha512', secretKey);
	hmac.update(data);
	const hash = hmac.digest();
	const hexHash = hash.toString('hex');
	return Buffer.from(hexHash).toString('base64');
}

const publicKey = 'api_pk_8f8a8k8e8k8e8y8';
const jsonString = '{"amount": "100", "currency": "USD"}'
const secretKey = 'api_sk_8f8a8k8e8k8e8y8';

const signature = generateSignature(publicKey, jsonString, secretKey);
console.log(signature);

Java

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


//dependency - https://mvnrepository.com/artifact/com.google.guava/guava
import com.google.common.hash.Hashing;
import java.nio.charset.StandardCharsets;
import java.util.Base64;

public class SignatureGenerator {

  public static String generateSignature(String publicKey, String jsonString, String secretKey) {
    String text = publicKey + jsonString + publicKey;
    byte[] hashedBytes = Hashing.hmacSha512(secretKey.getBytes())
        .hashString(text, StandardCharsets.UTF_8).toString().getBytes();
    return Base64.getEncoder().encodeToString(hashedBytes);
  }

  public static void main(String[] args) {
    String publicKey = "api_pk_8f8a8k8e8k8e8y8";
    String jsonString = "{\"amount\": \"100\", \"currency\": \"USD\"}";
    String secretKey = "api_sk_8f8a8k8e8k8e8y8";
    String signature = generateSignature(publicKey, jsonString, secretKey);
    System.out.println(signature);
  }

}

Ruby

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


require 'openssl'
require 'base64'

def generate_signature(public_key, json_string, secret_key)
  digest = OpenSSL::Digest.new('sha512')
  instance = OpenSSL::HMAC.new(secret_key, digest)
  instance.update(public_key + json_string + public_key)
  Base64.strict_encode64(instance.hexdigest)
end

# Example usage
public_key = "api_pk_8f8a8k8e8k8e8y8"
json_string = '{"amount": "100", "currency": "USD"}'
secret_key = "api_sk_8f8a8k8e8k8e8y8"

signature = generate_signature(public_key, json_string, secret_key)
puts "Signature value: #{signature}"

Authenticate your API request

To authenticate, you should add the following headers to each request:

Header	Description	Example
`merchant`	A unique Public Key is provided upon registration and must be shared for identification purposes.	api_pk_7b197……..ba108f842
`signature`	The request signature allows verification of the merchant’s authenticity on the payment gateway server.	MjNiYFdSdjVj……..hYmNiZDY=

Solidgate employs a similar Guide
Subscribe for events on your Solidgate account, so your integration can automatically trigger actions. authentication method for webhooks, using merchant and signature parameters in headers.

If signature created is incorrect, you will get the following response:

Fail Response Authentication

1
2
3
4
5
6
7
8


{
  "error": {
    "code": "1.01",
    "messages": [
      "Authentication failed"
    ]
  }
}

Domains and IP addresses

A systematic DNS check is a process where your system regularly performs DNS lookups for a specified domain, ensuring the latest IP addresses associated with that domain are always known.

This ensures that your system maintains an up-to-date list of IP addresses it should allow access.

Choose a DNS query tool
Use standard OS tools like nslookup or dig, or opt for specialized libraries based on your programming language.
Automate regular checks
Use an OS task scheduler (e.g., Linux’s cron) or another tool to auto-run DNS queries at regular intervals. It’s advisable to run checks at least hourly.
Execute DNS lookup for Solidgate domains
Query Solidgate-specific domains (form.solidgate.com, pay.solidgate.com, gate.solidgate.com, etc) to retrieve their associated IP addresses.
Update allowed IP address list
Based on the DNS query results, refresh the allowed IP addresses in your firewall or security tool. Ensure outdated or invalid IPs are removed.
Verify setup integrity
After updating, ensure your system processes requests originating from the latest IP addresses properly.

Systematic DNS checks for Solidgate offer multiple benefits: they ensure uninterrupted interaction between your system and Solidgate, even when IP addresses change, preventing unauthorized access by blocking requests from unauthorized IPs, thereby minimizing attack risks. These checks also ensure your system works with the latest data, so you don’t miss notifications or Guide
Subscribe for events on your Solidgate account, so your integration can automatically trigger actions. webhooks .

Furthermore, they automate IP list updates, saving time and resources in maintaining security.

Domain	IP Addresses
`form.solidgate.com`	35.71.171.3 / 52.223.55.91
`pay.solidgate.com`	75.2.5.94 / 99.83.143.51
`gate.solidgate.com`	75.2.6.81 / 99.83.231.16
`payment-page.solidgate.com`	13.32.99.52 / 13.32.99.80 / 13.32.99.95 / 13.32.99.4
`subscriptions.solidgate.com`	52.43.87.250 / 54.68.119.135
`reports.solidgate.com`	52.43.87.250 / 54.68.119.135
Regularly updating and monitoring the IP list is crucial to ensure uninterrupted and secure communication between your system and Solidgate.

Related articles FAQ

I can’t generate a signature/I am getting an error “1.01” “Authentication failed” during signature creation process

Solidgate HUB - Adding a new user

Solidgate HUB - User management

Solidgate HUB - Logs

Customers’ requests to personal data erasure (GDPR)