Access to API

Learn to authenticate API requests and fix validation errors effectively

By understanding the Solidgate validation and authentication process for API requests, you can gain access to the API and effectively handle validation error messages. Obtain the required credentials, including public and secret keys, and follow the signature creation and webhook validation steps to enable secure payment processing, proper authentication, and error management.

Retrieve your credentials

To start accepting payments, even in the sandbox environment, you require credentials. These credentials are Public publicKey and Secret secretKey keys, which should be applied for direct API calls and to check the webhook signature.

Obtain the keys from the personal account in the Solidgate HUB by navigating to the Developers section and then proceeding to the specific Channel details page:

API keys have the prefix api_pk_/api_sk_
Webhook keys have the prefix wh_pk_/wh_sk_

The Public key and Secret key are applied to calculate the signature, verifying both the source and the integrity of the request details transmitted between the merchant and gateway.

Generate signature

The signature value is a base64-encoded string, which is a hexadecimal representation of the SHA-512 hash function. The encryption key utilized for this is the Secret key. And for signature data, use the following string publicKey + jsonString + publicKey

For GET requests that do not have a body, the signature data must simply be publicKey + publicKey

Parameter	Description	Test Data
publicKey	Public key	api_pk_8f8a8k8e8k8e8y8
jsonString	Request body in JSON string	{"amount": "100", "currency": "USD"}
secretKey	Secret key	api_sk_8f8a8k8e8k8e8y8
*Both Public and Secret key are provided at the moment of merchant registration and are used for signature generation. These keys are vital to generate secure signatures for authentication and verification purposes.

Use the generateSignature function that takes the data and the Secret key as parameters.
Generate the HMAC-SHA512 hash using the Secret key and data.
Get the hexadecimal representation of the hash.
Encode the hexadecimal representation of the hash directly to Base64.

Expected signature with test data
MjFkZGE3ZTZjODc0YjY5YTczOTlmOTBlYjk0MDY1NThiODJiZmE3ZTgxOGJjMWUxYjNkNTFjMDNjZmUzOGRlMTBhZGEzMmYxMGY3NTBlOTBlMGZkNDUwZTRiNmI5YTBiYTVmZWM5NzcxMjU3OWM0MGU5Mzg1NTljOTE1NTVlNzA=

PHP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


<?php
class SignatureGenerator
{
        public static function generateSignature(string $publicKey, string $jsonString, string $secret_key): string
    {
        $text = $publicKey . $jsonString . $publicKey;
        $hashedBytes = hash_hmac('sha512', $text, $secret_key);
        return base64_encode($hashedBytes);
    }
    public static function main(array $args): void
    {
        $public_key = 'api_pk_8f8a8k8e8k8e8y8';
        $json_string = '{"amount": "100", "currency": "USD"}';
        $secret_key = 'api_sk_8f8a8k8e8k8e8y8';
        $signature = self::generateSignature($public_key, $json_string, $secret_key);
        echo $signature . "\n";
    }    
}

SignatureGenerator::main([]);

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


package main

import (
    "crypto/hmac"
    "crypto/sha512"
    "encoding/base64"
    "encoding/hex"
    "fmt"
)

func generateSignature(publicKey, jsonString, secretKey string) string {
    data := publicKey + jsonString + publicKey
    h := hmac.New(sha512.New, []byte(secretKey))
    h.Write([]byte(data))
    return base64.StdEncoding.EncodeToString([]byte(hex.EncodeToString(h.Sum(nil))))
}

func main() {
    publicKey := "api_pk_8f8a8k8e8k8e8y8"
    jsonString := `{"amount": "100", "currency": "USD"}`
    secretKey := "api_sk_8f8a8k8e8k8e8y8"
    signature := generateSignature(publicKey, jsonString, secretKey)
    fmt.Println(signature)
}

Kotlin

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


package com.solidgate.examples

// https://mvnrepository.com/artifact/com.google.guava/guava
import com.google.common.hash.Hashing
import java.nio.charset.StandardCharsets
import java.util.Base64

class SignatureGenerator {
    companion object {
        fun generateSignature(publicKey: String, jsonString: String, secretKey: String): String {
            val text = publicKey + jsonString + publicKey
            val hashedBytes = Hashing.hmacSha512(secretKey.toByteArray())
                .hashString(text, StandardCharsets.UTF_8).toString().toByteArray()
            return Base64.getEncoder().encodeToString(hashedBytes)
        }
    }
}

fun main() {
    val publicKey = "api_pk_8f8a8k8e8k8e8y8"
    val jsonString = "{\"amount\": \"100\", \"currency\": \"USD\"}"
    val secretKey = "api_sk_8f8a8k8e8k8e8y8"
    val signature = SignatureGenerator.generateSignature(publicKey, jsonString, secretKey)
    println(signature)
}

Python

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


import hashlib
import hmac
import base64

def generateSignature(public_key, json_string, secret_key):
    data = public_key + json_string + public_key
    hmac_hash = hmac.new(secret_key.encode('utf-8'), data.encode('utf-8'), hashlib.sha512).digest()
    return base64.b64encode(hmac_hash.hex().encode('utf-8')).decode('utf-8')

public_key = "api_pk_8f8a8k8e8k8e8y8"
json_string = "{\"amount\": \"100\", \"currency\": \"USD\"}"
secret_key = "api_sk_8f8a8k8e8k8e8y8"

signature = generateSignature(public_key, json_string, secret_key)
print(signature)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


using System;
using System.Security.Cryptography;
using System.Text;

public class SignatureGenerator {
    
    public static string GenerateSignature(string publicKey, string jsonString, string secretKey) {
        string data = publicKey + jsonString + publicKey;
        byte[] secretKeyBytes = Encoding.UTF8.GetBytes(secretKey);
        byte[] dataBytes = Encoding.UTF8.GetBytes(data);
        using (var hmac = new HMACSHA512(secretKeyBytes)) {
            byte[] hashBytes = hmac.ComputeHash(dataBytes);
            string hexHash = BitConverter.ToString(hashBytes).Replace("-", "").ToLower();
            byte[] base64Bytes = Encoding.UTF8.GetBytes(hexHash);
            string base64Signature = Convert.ToBase64String(base64Bytes);
            return base64Signature;
        }
    }
    
    public static void Main(string[] args) {
        string publicKey = "api_pk_8f8a8k8e8k8e8y8";
        string jsonString = "{\"amount\": \"100\", \"currency\": \"USD\"}";
        string secretKey = "api_sk_8f8a8k8e8k8e8y8";
        string signature = SignatureGenerator.GenerateSignature(publicKey, jsonString, secretKey);
        Console.WriteLine(signature);
    }
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


const crypto = require('crypto');

function generateSignature(publicKey, jsonString, secretKey) {
	const data = publicKey + jsonString + publicKey;
	const hmac = crypto.createHmac('sha512', secretKey);
	hmac.update(data);
	const hash = hmac.digest();
	const hexHash = hash.toString('hex');
	return Buffer.from(hexHash).toString('base64');
}

const publicKey = 'api_pk_8f8a8k8e8k8e8y8';
const jsonString = '{"amount": "100", "currency": "USD"}'
const secretKey = 'api_sk_8f8a8k8e8k8e8y8';

const signature = generateSignature(publicKey, jsonString, secretKey);
console.log(signature);

Java

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


//dependency - https://mvnrepository.com/artifact/com.google.guava/guava
import com.google.common.hash.Hashing;
import java.nio.charset.StandardCharsets;
import java.util.Base64;

public class SignatureGenerator {

  public static String generateSignature(String publicKey, String jsonString, String secretKey) {
    String text = publicKey + jsonString + publicKey;
    byte[] hashedBytes = Hashing.hmacSha512(secretKey.getBytes())
        .hashString(text, StandardCharsets.UTF_8).toString().getBytes();
    return Base64.getEncoder().encodeToString(hashedBytes);
  }

  public static void main(String[] args) {
    String publicKey = "api_pk_8f8a8k8e8k8e8y8";
    String jsonString = "{\"amount\": \"100\", \"currency\": \"USD\"}";
    String secretKey = "api_sk_8f8a8k8e8k8e8y8";
    String signature = generateSignature(publicKey, jsonString, secretKey);
    System.out.println(signature);
  }

}

Ruby

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


require 'openssl'
require 'base64'

def generate_signature(public_key, json_string, secret_key)
  digest = OpenSSL::Digest.new('sha512')
  instance = OpenSSL::HMAC.new(secret_key, digest)
  instance.update(public_key + json_string + public_key)
  Base64.strict_encode64(instance.hexdigest)
end

# Example usage
public_key = "api_pk_8f8a8k8e8k8e8y8"
json_string = '{"amount": "100", "currency": "USD"}'
secret_key = "api_sk_8f8a8k8e8k8e8y8"

signature = generate_signature(public_key, json_string, secret_key)
puts "Signature value: #{signature}"

Authenticate your API request

To authenticate, add the following headers to each request:

Header	Description	Example
`merchant`	A unique Public key is provided upon registration and must be shared for identification purposes.	api_pk_7b197……..ba108f842
`signature`	The request signature allows verification of the merchant’s authenticity on the payment gateway server.	MjNiYFdSdjVj……..hYmNiZDY=

Solidgate employs a similar Guide
Subscribe for events on your Solidgate account so your integration can automatically trigger actions. authentication method for webhooks, using merchant and signature parameters in headers.

Fail response authentication

1
2
3
4
5
6
7
8


{
  "error": {
    "code": "1.01",
    "messages": [
      "Authentication failed"
    ]
  }
}

If you receive an incorrect signature response, verify your API keys and encryption value, then consult the Solidgate support team for further assistance.

Outgoing requests for IP addresses

Specific IP addresses are used for outbound requests to external services for secure and effective communication. Allowing traffic from these IP addresses in your system is crucial to ensure uninterrupted service and data exchange.

Security

Configure your security systems to accept these IPs to prevent service interruptions.

Monitoring

Stay informed about any changes to these IP addresses for continuous service.

IP Addresses
3.74.184.6 / 3.121.136.242
18.156.25.95 / 18.156.25.95 / 18.157.119.243 / 18.184.24.146 / 18.192.168.222 / 18.195.90.222
35.157.172.91 / 35.165.202.104
44.224.79.149
52.10.37.135 / 52.88.195.65

FAQ

Expand all

Getting blocked by WAF error?

This section explains the “Blocked by WAF” error and how to resolve it, often caused by a discrepancy in endpoint and base URL in API requests.

Understanding the error: The "Blocked by WAF" error usually occurs when a request is mistakenly directed to an incorrect endpoint that doesn't match the intended action.
Resolving the error: To avoid this error, ensure the correct pairing of the endpoint and base URL in your API requests.
Troubleshooting steps: When encountering this error, check the full URL used in your request and verify it against the valid endpoints listed at Solidgate API reference.

Example scenario: You attempt to cancel a subscription with the endpoint /subscription/cancel-by-customer at the base URL https://pay.solidgate.com/api/v1, but the correct base URL should be https://subscriptions.solidgate.com/api/v1