Skip to main content

Splitit Side: Encrypting API Responses

For additional security, you can require that Splitit's API responses be sent to you in an encrypted format. To accomplish this, Splitit will use your public key to encrypt communication that you can then decrypt with your private key.

Things to know:

  • Only works with API V3 endpoints
  • Similar to message-level encryption (MLE), responses will arrive in format application/jose+json
  • For debugging and support, please preserve response headers with x-splitit-traceid

Instructions

  1. Begin by authenticating to the Splitit ID server, using the instructions here. You'll receive a token in the response.

  2. Add the token from step 1 in your header, then call Rotate Public Key. The body to send is as follows:

{
  "Type": "RSA",
  "Usage": [
    "ResponseEncryption"
  ],
  "OwnerCode": "string", // given to you by Splitit support
  "PublicKey": "string", // An RSA public key you have generated
  "ExpirationUtc": "2024-07-06T15:46:26.409Z", // When you'd like your key to expire (if you don't set this, a default value will be set by Splitit)
  "RelatedClientId": "string" // the client from your account you'd like to use, given by Splitit support
}

You will get a Key Id (UniqueId) in return.

  1. You can check that your key was successfully rotated by calling List All Keys.

  2. Invoke any API V3 endpoint. The response should be JWE encrypted with the Key Id from step 2 above. Use a tool like https://jwt.io/ to inspect the JWE headers and verify that the Key Id is the correct one.