Digital Signature

A. Overview

A Digital Signature is needed to access all Open API features. This documentation does not include the signature required in Authentication, which is already documented here . The signature contains all the information regarding the request that is made by Client, such as HTTP method, path, access token, payload, and timestamp. Each value should be identical to the data that Client sends in the request, i.e. the signed timestamp should be identical with the value in Open-Api-Timestamp header. Any discrepancy will result in failure of authentication.

hashed_payload = hexEncode(sha256(minifyJSON(payload)))
string_to_sign = method:path:token:hashed_payload:timestamp

The information should be signed using CLIENT_SECRET as key and SHA512 method.

request.Header.Set(
  "Open-Api-Signature", base64(sha512(string_to_sign, CLIENT_SECRET))
)

B. Usage

The Digital Signature should be sent in the header as Open-Api-Signature.
Below is the detail of the values that need to be signed.

string_to_sign = METHOD:PATH:TOKEN:HASHED_PAYLOAD:TIMESTAMP

Field	Description	Example
method	The HTTP method used in the request	post
path	The endpoint path used in the request	/v1/open-api/account/inquiry
token	The access token previously generated from this API	eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbG llbnRfaWQiOiIzZjljODk2Mi00YzRiLTRiYjYtYjNjMS04Z mM4ODM1MTljMDIiLCJleHAiOjE3MDEzNDAxOTYsIn RpbWVzdGFtcCI6IjIwMjItMDMtMjFUMTA6MTE6NDA rMDc6MDAiLCJ1c2VyX2lkIjoiZGUyMGYwNTItYmRiYy0 0NzAzLWFhOWQtMWVjYWM3MDBmNTQ2In0.D8xC uNfqLNnW6w7ip_0qNpHsdhAiFno6_4b99cxNCHA
hashed_payload	The final form of hashed payload encoded in hex	a93d16514d90ca276af95910624c6483d7e f7ddd13065807c0bc5392152e2f27
timestamp	The timestamp following ISO8601 / RFC3339 format, including local timezone: yyyy-MM-dd'T'HH:mm:ss+Z	2022-03-21T10:11:40+07:00

C. Example

{
		"bank_code": "000",
		"account_number": true
}

Example payload after hash:

7791c19c8a1031a23713d71ef8d5a76c62beef20a5ed3b9c6731d108ac70af6e

Example signature before hash:

GET:/v1/open-api/test:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiI0OGExYjlmNS1jODZlLTRiOTUtYWExMS0xOGU1MTU1YTBmMTEiLCJleHAiOjE3MDIzODYwNjYsInRpbWVzdGFtcCI6IjIwMjMtMTItMTJUMTc6MzI6NTUrMDc6MDAiLCJ1c2VyX2lkIjoiIn0.AHpz30NMuUI9GzjJNc7Ky7vBQXrWaf7FskMCt_O_n6M:7791c19c8a1031a23713d71ef8d5a76c62beef20a5ed3b9c6731d108ac70af6e:2023-12-12T17:35:55+07:00

Example signature after hash:

plNQpKUlZ8tO2oVNJeBxk3X2eQEtw2zbWZeQXt72nVk+8YSJNn4Tyza9V88pC9Yj+AXMUDM9keULDTAHNUNwSA==

Example sending request with signature:

curl --location --request GET '{{KLIKOO_B2B_URL}}/v1/open-api/test' \
--header 'Open-Api-Signature:   plNQpKUlZ8tO2oVNJeBxk3X2eQEtw2zbWZeQXt72nVk+8YSJNn4Tyza9V88pC9Yj+AXMUDM9keULDTAHNUNwSA==' \
--header 'Open-Api-Timestamp: 2023-12-12T17:35:55+08:00' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer	
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiI0OGExYjlmNS1jODZlLTRiOTUtYWExMS0xOGU1MTU1YTBmMTEiLCJleHAiOjE3MDIzODg1NzEsInRpbWVzdGFtcCI6IjIwMjMtMTItMTJUMTc6MzI6NTUrMDc6MDAiLCJ1c2VyX2lkIjoiIn0.MkRtMx5gwOOoh6BGdw6VxjTq4uTPEXTaEIHGSgj5X1U' \ 
--data '{
          	"bank_code":  	"000",
          	"account_number": true
}'

For the GET method with an empty body, we will use the value of an empty string (”“) and hash it. The resulting hash is:

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855