Signature Componen from Response Header
To validate a signature in response header, merchant need to see and check these components.
Component Explanation
Client-Id
Retrieved from the Request Header
Request-Id
Retrieved from the Request Header
Response-Timestamp
Retrieved from the Response Header
Request-Target
The path of the endpoint that will be hitted e.g: /doku-virtual-account/v2/payment-code
.
Digest
Encoded (base64) value of hashed (SHA-256) JSON body. This component only applied for POST
Method.
Preparation
Before validating Signature
, merchant need to check all the component required.
Set Client-Id, Request-Id, Response-Timestamp.
Use the Client-Id, Request-Id, Response-Timestamp that is placed on the Response Header.
Set Request-Target
The Request-Target is depending on who is sending the request:
When merchant hits DOKU endpoints: The Request-Target is the path of the DOKU API that merchant hits.
Validating Signature
After merchant send request to DOKU and generate signature in request header, DOKU will send response and generate signature in response header. Then merchant can verify this response is coming from DOKU by Signature.
Arrange the signature components to one component and its value per line by adding escape character. Don't add at the end of the string. Sample of the raw format :
This is how merchant will see :
Calculate HMAC-SHA256 base64 from all the components above using the Secret Key from DOKU Back Office
Put encoded value and prepend
HMACSHA256=
to theSignature
. Sample :
INFO!
To make sure every response API from DOKU, just verify in Signature that you get from Response Header!
Last updated