Skip to main content

Key Types and Usage

SwwipePay uses different types of keys for different purposes. Understanding when and how to use each key is crucial for proper integration:

Key Usage Examples

Client ID & Client Secret:
  • Used for server-to-server API calls
  • Required for transaction verification
  • Must be kept secure on your backend
Merchant Key:
  • Used in your frontend JavaScript code
  • Required to initialize the SwwipePay payment modal
  • Can be safely included in client-side code

API Authentication

This endpoint uses HTTP Basic Authentication for server-side API requests.

Required Headers

Authentication Process

  1. Combine credentials: Concatenate your client-id and client-secret with a colon separator
  2. Encode: Base64 encode the combined string
  3. Include in header: Add the encoded string to the Authorization header

Example Implementation

JavaScript/Node.js

PHP

Python

C#

txn_reference_here is your transaction reference.

Signature Validation

Overview

Signature validation is a crucial step in processing events or responses received from Swwipe. These entities carry a payload that includes an HMAC (Hash-based Message Authentication Code) property. The purpose of this property is to ensure the integrity and authenticity of the data transmitted. The HMAC property is generated as a Hexadecimal HMAC256 hash, computed based on a combination of parameters, including MerchantRef, CurrencyCode, and Amount, using the MerchantSecret as the secret key.

Verifying HMAC Property

Before proceeding with the processing of any transaction, it is imperative to validate the HMAC property to confirm the data’s integrity and origin. The following section provides a sample function that can be used to obtain the HMAC value for verification. Sample Function: HexHMACHash256 TheHexHMACHash256 function is used to calculate the HMAC256 hash for a given input value using the provided MerchantSecret key. It is crucial to construct the input value as the concatenation of MerchantRef, CurrencyCode, and Amount.

HMAC Implementation Examples

The following examples show how to implement HMAC256 signature validation in different programming languages:

C#

JavaScript/Node.js

Python

PHP

Java

Go

Ruby

Signature Validation Process

To validate a signature received from SwwipePay:
  1. Extract the parameters from the response: MerchantRef, CurrencyCode, Amount
  2. Concatenate the values in the exact order: MerchantRef + CurrencyCode + Amount
  3. Calculate the HMAC using your merchant secret key
  4. Compare the calculated hash with the received HMAC property
  5. Process the transaction only if the signatures match
In the provided function, value should be constructed as the concatenation ofMerchantRef, CurrencyCode, and Amount, while maggi represents the MerchantSecret key. By calling this function and comparing the result with the HMAC property received from SwwipePay, you can ensure the authenticity and integrity of the data before proceeding with transaction processing.

Security Notes

  • Always keep your merchant secret secure and never expose it in client-side code
  • Validate signatures for all responses
  • Use constant-time comparison when validating signatures to prevent timing attacks
  • Store your merchant secret in environment variables or secure configuration