Skip to main content

HMAC Signatures

To ensure authenticity and data integrity of incoming requests Fundiin requires these requests to be signed. This signature is based on a Hash-based Message Authentication Code (HMAC) calculated using request body and a secret key, which is known only to you and Fundiin.

Request Signing

Before sending a request to Fundiin, you need to calculate the signature and include it as a header in the request. When Fundiin receives the request, it will also calculate the signature using the request body and the secret key stored on the Fundiin side. By verifying that both signatures are equal, Fundiin can ensure that the request is authentic and hasn't been tampered with during transmission.

Payment Notification Validation

You can also validate payment notifications received from Fundiin by calculating the corresponding signature and comparing it with the signature included in the payment notification. This process allows you to confirm that the payment notification was indeed sent by Fundiin and hasn't been modified during transmission.

Create Signature

Fundiin is using HMAC SHA-256 algorithm to generate signature

signature = HMAC(algorihtm, secretKey, body)

With:

  • algorithm: Refers to the security method registered by the Merchant with Fundiin. The default algorithm used is HMAC SHA-256.
  • secretKey: The secret key provided by Fundiin during the registration process.
  • body: The data used for HMAC calculation.

Please make sure to implement this signature generation process correctly to ensure secure and authenticated communication with the Fundiin API.

The HMAC SHA-256 signature is generated using the provided secret key and request body, and then encoded in hexadecimal format.

How to generate HMAC SHA-256 signatures for common languages are mentioned below:

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

public class SignatureGenerator {

   public static String generateHmacSHA256Signature(String secretKey, String data) {
        try {
            Mac hmacSHA256 = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256");
            hmacSHA256.init(secretKeySpec);
            byte[] hash = hmacSHA256.doFinal(data.getBytes());

            StringBuilder result = new StringBuilder();
            for (byte b : hash) {
                result.append(String.format("%02x", b));
            }
            return result.toString();
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            e.printStackTrace();
            return null;
        }
    }
}

Contents