Skip to content

Authentication

Authentication information is sent via custom http request headers and not the actual payload itself.

Tranzila uses a secure access-token to ensure authentication prevent processing of the same request more than once and preventing man-in-the-middle attacks.

In order to achieve that, every merchant must enroll to Tranzila API Services and get both public and secret keys from Tranzila.
while public key is used in each request and is exposed in the request header, secret key is only used internally by both merchant application and server application for each merchant.

Please make sure the secret key is kept safe and not shared with anyone at all time. This restriction means you cannot call Tranzila API from within web client application, but rather via a proxy service on your server.

HeaderNote
X-tranzila-api-app-keyApplication key supplied by Tranzila
X-tranzila-api-request-timeRequest time sent in Unix format (integer counting seconds from Jan 1st, 1970 00:00:00 UTC)
X-tranzila-api-nonceA 40 bytes NONCE – unique random string generated with any random bytes function
X-tranzila-api-access-tokenhash_hmac using ‘sha256’ on application key with secret + request-time + nonce. hash_hmac is available for all programming languages with samples found here

Create a Valid Access Token

Examples

PHP
$json = trim(isset($_POST['jsontext']) ? $_POST['jsontext'] : '');
$time = time();
$appKey = '<public app key>';
$secret = '<private app key>';
$nonce = bin2hex(random_bytes(40)); //actually 80 characters string
$accessToken = hash_hmac('sha256',$appKey, $secret . $time . $nonce);

$ch = curl_init('<<please replace this with service endpoint>>');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLINFO_HEADER_OUT, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $json);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Content-Type: application/json',
        'Content-Length: ' . strlen($json),
        'X-tranzila-api-app-key: ' . $appKey,
        'X-tranzila-api-request-time:' . $time,
        'X-tranzila-api-nonce:' . $nonce,
        'X-tranzila-api-access-token:' . $accessToken
    )
);

$data = curl_exec($ch);
curl_close($ch);
return $json;
Was this page helpful?