Authentication
EFIcyent APIs use a multi-layered authentication model to ensure message integrity, request authenticity, and strong replay-attack protection.
EFICYENT APIs use a hybrid authentication mechanism that combines:
- Merchant Identification & API Key–based identification
- HMAC-SHA256 hashing
- RSA Private Key Signature
- Timestamp & Nonce for replay protection
This ensures high-grade security, request integrity, and protection against tampering or replay attacks.
How Authentication Works
Every outgoing API request must include the following headers:
| Header | Description |
|---|---|
X-Merchant-Id | Identifies the merchant making the request. |
X-Api-Key | Public API key associated with the merchant. |
X-Api-Timestamp | Current UNIX timestamp (in seconds). Used to prevent replay attacks. |
X-Api-Signature | RSA signature generated from the HMAC hash of the request payload. |
X-Api-Nonce | Unique UUID per request |
Endpoints Excluded from Signature Validation
The following APIs do not require request signing:
- Registration
- Login
Signature Generation Flow
The client must generate a digital signature for every request using this process:
1. Add Merchant ID Header
X-Merchant-Idis sent with every request.
2. Construct the URL Path
Extract only the last segment of the URL path.
Example:
/v1/payments/create → /create
3. Collect Request Data
Depending on the HTTP method:
- GET / DELETE → Convert all non-disabled query parameters into a JSON object.
- POST / PUT / PATCH→ Parse the raw JSON body or form-data (excluding files).
This becomes your request body object (bodyObj).
4. Generate the Plain Text String
Concatenate the following:
urlPath + JSON.stringify(bodyObj) + timestamp + saltKey
Example:
/create{"amount":1000,"currency":"USD"}1730001123mySaltKey123
5. Generate HMAC (SHA-256)
Use the salt_key as the secret to create an HMAC-SHA256 hash of the plain text.
HMAC = HMAC_SHA256(plainText, salt_key)
This HMAC ensures integrity of the request data.
6. RSA Private Key Signing
The generated HMAC hash is then signed using the merchant's RSA Private Key (PKCS#8).
Signature = RSA-SHA256-Sign(HMAC)
The signature is then encoded in Base64 and passed as the X-Api-Signature header.
7. Generate Nonce
- A random UUID to prevent replay attacks
8. Attach Headers
- Add all authentication headers to the request
Final Headers to Include
Each API request must include the following:
X-Merchant-Id: <merchant_id>
X-Api-Key: <api_key>
X-Api-Timestamp: <unix_timestamp>
X-Api-Signature: <rsa_signed_hmac_base64>
X-Api-Nonce: <uuid>Security Benefits
| Layer | Purpose |
|---|---|
| Merchant ID | Identifies the merchant account. |
| API Key | Validates application-level authorization. |
| Timestamp | Prevents replay attacks by enforcing time-bound validity. |
| HMAC Hashing | Ensures the request body and URL have not been altered. |
| RSA Signing | Provides cryptographic proof that the request originated from the merchant. |
This multi-step approach ensures every request is authenticated, validated, and tamper-proof.
Updated 19 days ago