Using the Graph API Authenticating Generate Token Using APIKey
February 14, 2023 at 10:38 AMAs part of registering for Pay’nUp you will have received 2 values that are used to authenticate yourself with Pay’nUp. Failure to properly authenticate using these values will result in API failures and will prevent transaction processing.
-
API Identifier - a non-secure value that should be passed within the JWT under the
issclaim. - API Key - a SECURE value that should only ever be known between you and Pay’nUp.
These two values are used to generate a valid token to handle authentication.
IMPORTANT!: Tokens must be generated in a secure place (server-side or compiled code). NEVER store or use the APIKey in a file that all customers can see, e.g.: javascript files. This value should only be used to sign the JWT and to verify a JWT signature from Pay’nUp. It should never be included within the JWT itself. To protect the integration partner account, it is important to keep the API Key confidential. Never include the API Key in transaction requests to Pay’nUp in cleartext. Do not share the API Key outside of the integration partner’s organization. Pay’nUp will never ask for the API Key, and will not deliver it via email.
JWT Fields
A valid Pay’nUp JWT used for to pass transactional data must have the following elements:
Required Fields
Please note that each Claim key is case sensitive.
| Claim | Required | Description |
|---|---|---|
| jti | YES | JWT Id - This is created by you and is a unique identifier that can be used to reference a particular JWT within Pay’nUp system. |
| iat | YES | Issued At Time - This is a timestamp of when the JWT was created. |
| iss | YES | Issuer - Identifies who is generating the JWT. This field should contain your API Identifier value provided to you during merchant registration. |
| exp | NO | Expire At Time - Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. By default a JWT will be considered expired by Pay’nUp after 2hrs. |
| ip | NO | Client IP - IP of the client, if all API request will be generated from a server |
| agent | NO | User Agent - The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent. |
| origin | NO | Origin - Indicates where a fetch originates from, only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn’t disclose the whole path. |
| sn | Only for Verifone Terminals | Serial Number - Identify the serial number of the terminal. |
| ani | Only for Verifone Terminals | Automatic Number Identification - Phone number used to connect the terminal in case a DialUp terminal. |
Important! ip, agent and origin are optional, but should be used in case you are sending all requests from a server, and the end customer IP address is different. Because you are acting as an intermediary between end customers and our API we do not have a way to identify that information from the end customer. That information is helpful for tracking and security purposes, e.g. Credit Card payments use the client IP to identify customer location. If you does not provide that information, our server use your server IP address as client IP and eventually can be marked as “suspicious” if some customers make malicious payments using your system. On the other hand if your application is a javascript or mobile application, you can ignore this data, because the IP address that makes the request is the same as the end customer.
JWT Example
Below is an example of the JSON content of a basic JWT Payload.
{
"jti": "12345",
"iat": 1514782800,
"iss": "885A445614046CDB3B2F"
}
ApiKey: 17BEA3BE-8475-402A-8C6D-5CEB20A2A1E9
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIxMjM0NSIsImlhdCI6MTUxNDc4Mjgw
MCwiaXNzIjoiODg1QTQ0NTYxNDA0NkNEQjNCMkYifQ.weBhi5xK8w6scP2RdLn5ZbS-c8FRoq1Ig2
W9B3nV2qs
View in JWT.io
Currently the only supported algorithm is
HS256
Generating a Server JWT
We recommend using an existing third party library to assist you in generating a JWT. The JWT.io website contains a list of approved libraries, with their feature sets. Check it out here.
The following is a basic example using php and firebase/php-jwt
<?php
use Firebase\JWT\JWT;
$key = "87E0C066-BD48-432D-99D3-EC4F07734C34"; //ApiKey
$transactionId = rand();
$token = [
'jti' => $transactionId,
"iss" => "885A445614046CDB3B2F", //ApiIdentifier
"iat" => time()
];
$jwt = JWT::encode($token, $key);
echo 'Token: '.$jwt;
The token generated can be safely used in javascript files or other places, these tokens have a short live and commonly are used during a short time.