Integration Steps
Method
Signature is used to ensure data integrity and authenticity of the request or response for each API. The signature needs to be provided using a private key. Our system supports the use of PKCS#1 for the private key, thus merchant should generate the signature with rsa_private_key.pem. The generated signature will be verified using a public key with rsa_public_key.pem.
Generate Private/Public Key Pair
Run this command on your terminal
Generate Private Key
openssl genrsa -out rsa_private_key.pem 2048
Generate Public Key
openssl rsa -in rsa_private_key.pem -out rsa_public_key.pem -pubout
You will need to send the generated public key to Durianpay team in zip format.
Request Overview
There are two type of requests:
- Obtaining Access Token (B2B)
- Transaction Request
Both of them has different request header and signature generation
Request Header
Request Header for obtaining B2B Access Token
Field | Attribute | Type | Description |
---|---|---|---|
Content-Type | Mandatory | String | String represents indicate the media type of the resource (e.g. application/json, application/pdf) |
X-TIMESTAMP | Mandatory | String | Client's current local time in ISO8601 format |
X-SIGNATURE | Mandatory | String | Represents signature of a request. Identify Signature Type used |
X-CLIENT-KEY | Mandatory | String | Unique ID for a partner given by Durianpay upon completing registration. The Unique ID can be seen in Settings-API Keys |
Request Header for Transaction API
Field | Attribute | Type | Description |
---|---|---|---|
Content-Type | Mandatory | String | String represents indicate the media type of the resource (e.g. application/json, application/pdf) |
Authorization | Mandatory | String | Represents access_token of a request; string starts with keyword “Bearer ” followed by access_token |
X-TIMESTAMP | Mandatory | String | Client's current local time in ISO8601 format |
X-SIGNATURE | Mandatory | String | Represents signature of a request. Identify Signature Type used |
X-PARTNER-ID | Mandatory | String | Unique ID for a partner given by Durianpay upon completing registration. Its value is same as the X-CLIENT-KEY |
X-EXTERNAL-ID | Mandatory | String | Numeric String. Reference number that should be unique. |
CHANNEL-ID | Mandatory | String | PJP’s channel id Device identification on which the API services is currently being accessed by the end user (customer) |
Sandbox Environment
To test in sandbox environment, merchant can refer to here
Steps Overview
- Step 1: Generate Signature
- Step 2: Obtain Access Token from the server
- Step 3: Use generated Access Token for transaction API
- Step4: Verify payment status (Optional)
Step 1: Generate Signature
Generate Signature for Obtaining B2B Access Token
<X-CLIENT-KEY> | <X-TIMESTAMP>
(on ISO8601 format) which then signed using SHA256withRSA
with Private/Public Key pair merchant has generated.
Example:
merchant_client_key|2024-05-13T14:53:06.991+07:00
Final Result: X-Signature: aw3o6HM68vJDLO4nxAPgK0it5nd6zik3bUgMzqLiTrIB7w1QbnCLDo2cbCTxJ4/Vj45z1
vD8sKvr58wRkecUacvQ4NJxfqVdJMXLW6DwQKhD2KuypyYTUXUetT70tUWiF3LHz357ZQq8H18rzRwbrZuUvFh671/IMVjaYsbPk9s=
Generate Signature for Transaction
<HTTP METHOD> + ":" + <RELATIVE PATH URL> + ":" + <B2B ACCESS TOKEN> + ":" + LowerCase(HexEncode(SHA-256(Minify(<HTTP BODY>))))
+ ":" + <X-TIMESTAMP>
which then encrypted using HMAC-SHA512
which then encrypted using HMAC-SHA512
with merchant's Secret Key that Durianpay give.
Example: POST:/v1.0/balance-inquiry:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdXJpYW4gTW9uZX:
f806c49e8cd175aa9dd5dd8e0a49648c885954d83fe7fe648f3448871c737fd4:2024-05-13T15:07:07+07:00
Final Result: X-Signature: tnNHFw5ZCWjnHFd9UGAB5iDLuwo+89efml8F1CP8vaqut/PfNWac/XLiCkLt3zGHTppZKPxz/PPptqM2alsOFA==
Step 2: Obtain Access Token from the server
Use following endpoint to create obtain B2B Access Token
You can use your preferred programming language to implement
obtain access token
API
curl --location 'https://api.durianpay.id/v1.0/access-token/b2b' \
--header 'X-TIMESTAMP: 2024-05-13T15:32:36.422+07:00' \
--header 'X-SIGNATURE: KLJ9KthaIiZSzPqHUMuJRsKOZtYCqqWd5DhfWqYC7OjZ2Qlu0PvQ2wRQF5vfDWsz/qFYEexOXb47+oQBjMhAz4XRNhXBBfwoWxrGTG8iU8EYSDVfChW0NqAWjWIQolhB4UcHn5SybPFRON3rvAOIQTzuEshUA1PNAln8jOKaRmY=' \
--header 'X-CLIENT-KEY: client_id' \
--header 'Content-Type: application/json' \
--data '{
"grantType": "AUTHORIZATION_CODE"
}'
// Sample response
{
"responseCode": "2007300",
"responseMessage": "Successful",
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdXJpYW4gTW9uZXkiLCJleHAiOjE3MTU1OTAwNTYsImlhdCI6MTcxNTU4OTE1NiwibWVyY2",
"tokenType": "BearerToken",
"expiresIn": "2024-05-13 08:47:36.452492159 +0000 UTC"
}
Learn more about Obtain B2B Access Token
Step 3: Use generated Access Token for transaction API
Merchant can used obtained access token to make API request, for example bank account inquiry API:
You can use your preferred programming language to implement these API
curl --location 'https://api.durianpay.id/v1.0/account-inquiry-external' \
--header 'X-TIMESTAMP: 2024-05-14T18:54:57+07:00' \
--header 'X-SIGNATURE: pCA+q832pxHnTPm1Kdbfu1am37J9XFeGH13JGYqHv7Ww4Tb3Hrc5xRew+4y2tN4wiAPnHmvXcJ1Tyf94jK5gHQ==' \
--header 'X-PARTNER-ID: partner_id' \
--header 'X-EXTERNAL-ID: random_external_id' \
--header 'CHANNEL-ID: channel_id' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJEdXJpYW4gTW9uZXkiLCJleHAiOjE3MTU1OTM3NTYsImlhdCI' \
--data '{
"beneficiaryAccountNo": "087783146495",
"beneficiaryBankCode": "002",
"partnerReferenceNo": "202010290000000000000",
"additionalInfo": {
"deviceId": "12345679237",
"channel": "mobilephone"
}
}'
// Sample response
{
"additionalInfo": {
"channel": "mobilephone",
"deviceId": "12345679237"
},
"beneficiaryAccountName": "Dummy Name",
"beneficiaryAccountNo": "087783146495",
"beneficiaryBankCode": "002",
"beneficiaryBankName": "Bank Rakyat Indonesia",
"currency": "IDR",
"partnerReferenceNo": "202010290000000000000",
"responseCode": "2001600",
"responseMessage": "Successful"
}
To see all available API, please refer here