Azupay website
Guides
Help CentreService DeskStatus PageDashboard | ProductionDashboard | UATTest Bank

Settings

Suggest Edits

The Settings view allows you to modify the configuration of your Azupay account on your own. Available options include:

  • Generate / Regenerate API keys
  • IP Whitelisting
  • Enable TopUp PayID. Used to top-up your AzupayOut account balance for outbound payments
  • Configure webhook events for PaymentRequest
  • Enable Thin Payload for webhook events

Manage API Keys

The API Keys settings allow you to generate a new set of secret and distributable keys. Click the Generate button to generate them.

You will be presented with confirmation dialog. Click Yes to confirm the generation.

You can choose to generate HMAC keys to write signature headers for your requests.

📘

HMAC adds additional security to your system messages

HMAC Headers provides a way to verify data has not been tampered with in transit, verifies timestamp when it was sent and by whom.

🚧

HMAC as an additional security measure

API keys with HMAC enabled will require all API calls to have a valid signature to prevent tampering as a security measure. All API calls without a valid HMAC signature will fail - only enable this if you understand how to provide the HMAC signature.

Once generated, the secret and distributed keys will be displayed. Copy and save it in a secure location as this
is the only time the keys will be displayed. Azupay does not store the API keys for security reason.

Click Close to return to the Settings page and the new key's information will be displayed. This includes:

  • API Key ID
  • Description
  • Key Permissions
  • Status
  • Key Created

In the Actions column, you can active/disable the keys. Click the switch icon to
active/disable them. Once you click the switch icon the status of the key will change
to ACTIVE/DISABLED.

You can ACTIVATE the DISABLED key by clicking on the action switch icon.

In the Actions column, you can duplicate existing keys. Click the icon to duplicate them.

You will be presented with confirmation dialog. Click Yes to confirm the duplication.

Once duplicated, the key will be displayed. Copy and save it in a secure location as this is the only time the key will be displayed. Azupay does not store the API keys for security reason.

Click Close to return to the Settings page and the new key information will be displayed.

HMAC Keys

Secret API keys can have a companion HMAC key attached to it.

Like the api keys, the HMAC key is only displayed once after the generation.

In the dashboard you can verify which api keys have a HMAC key attached to it.

You can use this HMAC key to sign the payloads on POST and PUT requests made with the companion api key.

Api keys that have a HMAC key attached, will expect a x-hmac-signature on POST and PUT requests.

Sample code to make signed requests:

const crypto = require("crypto");

const hmacKey = '{{YOUR_HMAC_KEY}}'

const body = `{
  "PaymentRequest": {
    "clientId": "{{CLIENT_ID}}",
    "clientTransactionId": "c0e35aad-c9a8-45e8-be41-30794f138b9c",
    "paymentDescription": "Client test transaction",
    "paymentAmount": 1000.00
  }
}`

const hmac = crypto.createHmac('sha256', hmacKey);
hmac.update(body);
const signature = hmac.digest('hex')

axios.post(`${url}/paymentRequest`, body, {
  headers: {
    'Authorization': key,
    'Content-Type': 'application/json',
    'x-hmac-signature': signature
  },
});

Requests made using api keys that have a HMAC key attached will fail if:

  • The request does not have a x-hmac-signature header
  • The signature and the body do not match (body have been tampered)
  • The key used to sign doesn't match the key in the api

Any of these scenarios will return a 403 Forbidden status code.

IP Whitelisting

This setting will allow you to map certain IP addresses to access Azupay endpoints when using your API keys.

To do this:

  1. Within the text area, enter one or more IP addresses (each addresss on its own line)
  2. Then click the Save button

Notes:

  • You can enter only up to 10 addresses.
  • By default, the IP filter is open to all IP addresses.

Thin Payloads

The aim of this feature is to deliver just the bare minimum needed to identify a change has occurred, without
exposing excessive data.

📘

Thin Payloads are only available for PayTo suite of APIs

This feature is currently only available for the AzupayTo product entities which includes:

  • Payment Agreement
  • Payment Initiation
  • Payment Agreement Amendment
Entity Fields Example
Payment Agreement
  • paymentAgreementId
  • status
  • previousStatus
  • lastStatusBy
  • lastUpdatedTimestamp
 
          
{
  "PaymentAgreementStatus": {
    "paymentAgreementId": "732496cc3a804856d4a6c61382199e93",
    "status": "ACTIVE",
    "previousStatus": "CREATED",
    "lastStatusBy": "PAYER"
  },
  "lastUpdatedTimestamp": "2023-06-20T00:52:46.000Z"
}
Payment Initiation
  • paymentInitiationId
  • status
  • lastUpdatedTimestamp
 
          
{
"PaymentInitiationStatus": {
  "paymentInitiationId": "51a4151b96934d704204e3a0d891c04d",
  "status": "SETTLED"
  },
  "lastUpdatedTimestamp": "2023-06-20T00:57:47.450Z"
}
Payment Agreement Amendment
  • paymentAgreementAmendmentId
  • amendmentStatus
  • lastUpdatedTimestamp
 
          
{
  "PaymentAgreementAmendmentStatus": {
    "paymentAgreementAmendmentId": "44a5ea0f54da0144f50b8225ce1ef854",
    "amendmentStatus": "COMPLETED"
  },
  "lastUpdatedTimestamp": "2023-06-20T00:59:31.000Z"
}

Updated about 1 month ago