Skip to main content

Merchant Side: Signature Authentication for Your API Requests

You can sign your transactional calls to Splitit's API V3 by providing Splitit with your public key, then signing your messages with your private key. Using your uploaded public key, Splitit can verify that the communication came from you.

Things to know:

  • Supported by API V3 only
  • A benefit of using signature authentication on your API requests is that no extra logins or tokens are required
  • For the sake of debugging and support, please preserve the response header x-splitit-traceid

Instructions

  1. Begin by authenticating to the Splitit ID server, using the instructions here. You'll receive a bearer token in the response.
  2. Add the bearer token from step 1 in your header, then call Rotate Public Key. The body to send is as follows:
{
  "Type": "RSA",
  "Usage": [
    "Authentication"
  ],
  "OwnerCode": "string" // given to you by Splitit support
  "PublicKey": "{an RSA public key you generated}",
  "ExpirationUtc": "2024-07-06T15:46:26.409Z", // when you'd like your key to expire (if you don't set this, a default value will be set by Splitit)
  "RelatedClientId": "string" //the Client ID from your account you'd like to use; given to you by Splitit support
}

You will get a Key ID as a response (UniqueId).

  1. Generate your signature using your private key. As a payload to encrypt, you should concatenate as follows: method;URL;body

a. Sections should be separated by semicolons as above b. The method (POST, GET, etc.) should be in all uppercase c. The URL is based on the request url and should be built as follows:

  • [host][path][query]
  • host - the host address without the port and without "https:"
  • path - request path with a leading slash
  • query string (if it exists)
  • example: "web-api-v3.sandbox.splitit.com/api/installmentplans" d. the body should be converted to a string using a website like https://jsonformatter.org/ json-stringify-online

  1. Make your request to API V3 and add the following headers to it:

    X-Splitit-RequestSignature: the signature you generated in step 3
    X-Splitit-RequestSignature-KeyId: the Key ID (UniqueId) you received by registering your public key in the Key Exchange server (step 2)
    X-Splitit-RequestSignature-ClientId: the Client ID you would like to use (given to you by Splitit support)

Note that in this API request for step 4, your method, URL and body should match what you used in step 3 to sign your payload. No additional authentication is required.