Professional Documents
Culture Documents
Encryption and Decryption Process
Encryption and Decryption Process
Encryption and Decryption Process
Keys
Generate an RSA 2048 keypair, and provide us the public key, the private
key needs to be secured. We will provide you with two RSA public keys, one
for header auth and one for the body.
You need to encrypt the Partner ID in the header and the request body
using RSA public key encryption. The response from our system will be
encrypted using the public key provided by you, and you will need to
decrypt it using the RSA private key corresponding to the public key used
for encryption.
Encrypting Partner ID in the Header
To encrypt the Partner ID in the header, you can use the following steps:
1. Obtain the RSA public key provided by us.
2. Convert the Partner ID to bytes, if necessary.
3. Encrypt the Partner ID using the RSA public key.
4. Convert the encrypted data to a suitable format, such as Base64.
5. Include the encrypted Partner ID in the header of your API request as Auth.
Encrypting Request Body
To encrypt the request body, you can use the following steps:
1. Create a 16 Character Hexadecimal Salt.
2. Generate an AES key using that salt and a secret given below.
3. Encrypt the body using the AES key.
4. Convert the encrypted data to a suitable format, such as Base64.
5. Encrypt the salt using RSA public key and share in the header of your API
request as Key.
Note: It's important to securely store and manage the RSA private key to
maintain the security of the decrypted data. Be sure to follow best practices
for key management and ensure that the private key is only accessible to
authorized users.
Authentication
API Security Protocol
All API requests must be authenticated with a JWT Token in the request.
Your API keys carry many privileges, so be sure to keep them secret!
You authenticate to the CipherPay API by providing your JWT token in the
header of each request.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a
compact and self-contained way for securely transmitting information
between parties as a JSON object. This information can be verified and
trusted because it is digitally signed. JWTs can be signed using a secret
(with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
• Header
• Payload
• Signature
Therefore, a JWT typically looks like the following.
JWT generation process All APIs will except a JSON Web Tokens (JWT)
Token in header value for Authorization. Refer https://jwt.io/ to understand
JWT better. JWT signature has to be generated using the partner secret.
JSON
{
"timestamp": "2022-12-24 15:03:34",
"partnerId": "PROVIDED BY CIPHERPAY",
"reqId": "122333" //(send a unique integer for each request)
}
Timestamp is in seconds and it will be valid for <=5 minutes from current time.
IP ADDRESS RESTICTION
We only whitelist Indian IP addresses and server location must be of India only
Authorisedkey
Authorized key is required to pass in UAT but not in Live environment, if partner not
using shared IP.
UAT Endpoint:
https://uatapi.cipherpay.co.in/api/
LIVE Endpoint:
https://api.cipherpay.in/api/