search
DOKU DocsChangelogDOKU Github

Signature Componen from Response Header

To validate a signature in response header, merchant need to see and check these components.

Client-Id:value
Request-Id:value
Response-Timestamp:value
Request-Target:value
Digest:value

hashtag
Component Explanation

Name
Description

Client-Id

Retrieved from the Request Header

Request-Id

Retrieved from the Request Header

Response-Timestamp

Retrieved from the Response Header

Request-Target

The path of the endpoint that will be hitted e.g: /doku-virtual-account/v2/payment-code.

Digest

Encoded (base64) value of hashed (SHA-256) JSON body. This component only applied for POST Method.

hashtag
Preparation

Before validating Signature, merchant need to check all the component required.

Set Client-Id, Request-Id, Response-Timestamp.arrow-up-right

Use the Client-Id, Request-Id, Response-Timestamp that is placed on the Response Header.

Set Request-Targetarrow-up-right

The Request-Target is depending on who is sending the request:

  1. When merchant hits DOKU endpoints: The Request-Target is the path of the DOKU API that merchant hits.

hashtag
Validating Signature

After merchant send request to DOKU and generate signature in request header, DOKU will send response and generate signature in response header. Then merchant can verify this response is coming from DOKU by Signature.

  1. Arrange the signature components to one component and its value per line by adding escape character. Don't add at the end of the string. Sample of the raw format :

This is how merchant will see :

  1. Calculate HMAC-SHA256 base64 from all the components above using the Secret Key from DOKU Back Officearrow-up-right

  2. Put encoded value and prepend HMACSHA256= to the Signature. Sample :

circle-info

INFO!

To make sure every response API from DOKU, just verify in Signature that you get from Response Header!

PreviousSignature Component from Request HeaderNextSignature from API Get Method

Last updated