Encryption and Decryption Process

Keys
Generate an RSA 2048 keypair, and provide us the public key, the private
key needs to be secured. We will provide you with two RSA public keys, one
for header auth and one for the body.
You need to encrypt the Partner ID in the header and the request body
using RSA public key encryption. The response from our system will be
encrypted using the public key provided by you, and you will need to
decrypt it using the RSA private key corresponding to the public key used
for encryption.
Encrypting Partner ID in the Header
To encrypt the Partner ID in the header, you can use the following steps:
1. Obtain the RSA public key provided by us.
2. Convert the Partner ID to bytes, if necessary.
3. Encrypt the Partner ID using the RSA public key.
4. Convert the encrypted data to a suitable format, such as Base64.
5. Include the encrypted Partner ID in the header of your API request as Auth.
Encrypting Request Body
To encrypt the request body, you can use the following steps:
1. Create a 16 Character Hexadecimal Salt.
2. Generate an AES key using that salt and a secret given below.
3. Encrypt the body using the AES key.
4. Convert the encrypted data to a suitable format, such as Base64.
5. Encrypt the salt using RSA public key and share in the header of your API
request as Key.

Secret: “CipherPay API Payout”

Include the encrypted request body in the body of your API request.
Decrypting Response
To decrypt the response from our system, you can use the following steps:
1. Use the AES key generated in the previous step to decrypt the response
2. Process the decrypted response data as needed in your application.

Note: It's important to securely store and manage the RSA private key to
maintain the security of the decrypted data. Be sure to follow best practices
for key management and ensure that the private key is only accessible to
authorized users.

Authentication
API Security Protocol
All API requests must be authenticated with a JWT Token in the request.
Your API keys carry many privileges, so be sure to keep them secret!
You authenticate to the CipherPay API by providing your JWT token in the
header of each request.

What is JSON Web Token(JWT)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a
compact and self-contained way for securely transmitting information
between parties as a JSON object. This information can be verified and
trusted because it is digitally signed. JWTs can be signed using a secret
(with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

Although JWTs can be encrypted to also provide secrecy between parties,

we will focus on signed tokens. Signed tokens can verify the integrity of the
claims contained within it, while encrypted tokens hide those claims from
other parties. When tokens are signed using public/private key pairs, the
signature also certifies that only the party holding the private key is the one
that signed it.

What is the JSON Web Token structure?

In its compact form, JSON Web Tokens consist of three parts separated by
dots (.), which are:

• Header
 • Payload
• Signature
Therefore, a JWT typically looks like the following.

You can find complete reference here

Token Creation using JWT

JWT generation process All APIs will except a JSON Web Tokens (JWT)
Token in header value for Authorization. Refer https://jwt.io/ to understand
JWT better. JWT signature has to be generated using the partner secret.

Algorithm type - HS256 JWT Payload

JSON
{
"timestamp": "2022-12-24 15:03:34",
"partnerId": "PROVIDED BY CIPHERPAY",
"reqId": "122333" //(send a unique integer for each request)
}

Timestamp is in seconds and it will be valid for <=5 minutes from current time.

IP ADDRESS RESTICTION
We only whitelist Indian IP addresses and server location must be of India only

Authorisedkey

Authorized key is required to pass in UAT but not in Live environment, if partner not
using shared IP.

UAT Endpoint:
https://uatapi.cipherpay.co.in/api/
LIVE Endpoint:
https://api.cipherpay.in/api/