Technical Specification of the OPAY System (standard OPAY_8.1).
Requirements for data transmitted by the Merchant and data received, are outlined in Tables No. 1 and No. 2, respectively. Each piece of data is referred to as a Parameter.
The data that travels between the OPAY system and the Merchant's website can follow two routes:
When providing payment method names in programming examples or any other technical specifications, please be aware that we kindly request you to provide the systematic payment method name.
Payment methods are categorized into groups. The group name is reflected in the systematic payment method name. If the specification allows for the indication of more than one payment method, instead of listing all the individual payment methods within the group, you can specify only the systematic name of the group. When the group name is provided, the system identifies it as if all the payment methods specified within the group were listed.
Below is a list of payment method groups along with the corresponding payment methods they include. The systematic payment method names are provided in parentheses next to the name.
In cases where an optional parameter is either omitted or submitted with an empty value:
When an optional parameter is submitted with a value (non-empty):
The amount of data (parameters) transmitted by the Merchant during Customer redirection to OPAY differs depending on the Payment Services utilized by the Merchant, as defined by the Agreement between OPAY and the Merchant. With each request, the Merchant can specify the preferred payment methods (desired Payment Services) for that specific transaction, within the limits outlined by the Agreement's Payment Services. Certain parameters remain uniform across all payment methods. Please pay attention to the parameters necessary and marked as mandatory for each payment method (Payment Service).
The data sent to the system must be encoded in UTF-8. The data is transmitted using the HTTP POST or GET method to the address https://gateway.opay.lt/pay/.
Explanation of Columns in Table No. 1:
Data can be transmitted as a single parameter. When sending data in this manner, the information must be concatenated into a single line, then converted into base64 encoding and transmitted as the sole parameter named encoded. For more comprehensive details, refer to the section on Data Encoding to mitigate potential distortions.
Table No. 1
Description of Data Sent by the Merchant (HTTP POST or GET parameters).
Marked. | |
Unmarked. |
Parameter Type (Max Length) |
Possible Values, Default Value |
Banklink, Card, Financing, Mobilewallet | Banktransfer, Cash | Mandatory | Show Descriptions Hide descriptions |
---|---|---|---|---|---|
website_id str(10) |
Show description Hide description | ||||
The unique code for the Merchant's online store, provided by OPAY and specified in the Agreement signed between the Merchant and OPAY. | |||||
order_nr str(40) |
Show description Hide description | ||||
The order number is generated by the Merchant's store. The Merchant
provides this number to OPAY so that, upon seeing it in the
response, the Merchant can associate it with payment confirmation or
notification of a failed payment for a specific order. Allowed characters include: a – ž A-Ž (Lithuanian lowercase and uppercase letters) 0 – 9, , (comma), . (dot), (space), ( ) (parentheses), ; (semicolon), - (hyphen). The permissible character pattern in regex form would appear as: a-zA-Z0-9ąčęėįšųūžĄČĘĖĮŠŲŪŽ,\.\s();\- |
|||||
redirect_url str(255) |
Show description Hide description | ||||
The complete HTTP web address with the specified protocol (e.g., https://website.com/file.jsp). This address is where the Customer is directed after completing the payment. | |||||
redirect_on_success int(1) |
0, 1 | Show description Hide description | |||
In certain cases, when the returning Customer reaches theMerchant'spage (redirect_url), they may not simultaneously carry the data package signed by OPAY indicating the payment's success. This occurs due to certain OPAY Partners (e.g., certain banks) being unable to immediately provide OPAY information right after a completed payment, or when the payment has been successful. Possible values of the parameter:
Value 0 indicates that OPAY should skip using the Payment Processing waiting window and immediately redirect the Customer while passing on the available payment information. When the Payment Processing waiting window is utilized, only Customers who have successfully completed the payment will be redirected to the Merchant's page. In this scenario, the Merchant's system can take appropriate actions, like promptly providing the service or expressing gratitude for the successful payment. |
|||||
web_service_url str(255) |
Show description Hide description | ||||
The HTTP address with the specified protocol (e.g., https://website.com/file.jsp) to which the OPAY server response about the payment will be sent. | |||||
back_url str(255) |
Show description Hide description | ||||
The complete HTTP address with the specified protocol (e.g., https://website.com/file.jsp), which will be used for sending the OPAY server's response about the payment. If this address is provided, when the Customer clicks Return to the Merchant's websiteon the payment confirmation page, OPAY will redirect the Customerto the specified address using the HTTP GET method, along with the parameters passed (Table No. 2, column When the response parameter status = 5). It's important to note a couple of returned parameters:
Additionally, you can utilize the link https://gateway.opay.lt/?tid=<transaction code> to directly return the Customer to the same payment page if the Customer hasn't made any changes to their shopping cart and is simply navigating between the Merchant's and OPAY's payment pages. It's important to clarify, that this link isn't designed to interrupt the payment process; rather, it provides the Merchant with the flexibility to allow seamless navigation between the OPAY payment page and the store. This link can be clicked by individuals other than the original Customer (i.e., someone whose login session is active on the Merchant's website), as the payment page link can be shared for payment by someone else. Depending on your needs, you can include identifying parameters like the shopping cart within the back_url link. Note. This parameter is intended for Merchants with specific and unique requirements, particularly those operating non-standard systems that necessitate the ability to navigate freely between OPAY and the Merchant's website. |
|||||
standard str(9) |
opay_8.1 | Show description Hide description | |||
Version of the Data Exchange Specification. TheMerchant's and OPAY systems must be aware of the specification under which data is submitted and received. | |||||
language str(3) |
LIT, ENG, LAV, EST, RUS | Show description Hide description | |||
In which language to display the OPAY payment page. | |||||
amount int(10) |
Show description Hide description | ||||
What amount the Customer needs to pay. The amount is provided in cents. | |||||
currency str(3) |
EUR | Show description Hide description | |||
What currency the payment amount is presented in. | |||||
show_channels str(1000) |
Read description | Show description Hide description | |||
Here you can specify the desired payment methods for this payment. Refer to the parameters show_channels and hide_channels”. | |||||
hide_channels str(1000) |
Read description | Show description Hide description | |||
Here you can specify the undesired payment methods for this payment. Refer to the parameters show_channels and hide_channels”. | |||||
country str(2) |
LT, LV, EE | Show description Hide description | |||
Based on the indicated country, the available payment methods are presented to the Customer in that country (ISO 3166-1 alpha-2). | |||||
payment_description str(128) |
Read description | Show description Hide description | |||
When the Customer makes a payment, this text is provided during the payment process. You can create the text according to your preference, but you must include the placeholders:
In place of the placeholder, the OPAY system will insert its corresponding value. The mandatory placeholder is {order_nr}, and at least one of the placeholders {website} or {merchant} is required.
In the text created by the Merchant, the following
characters can be used:
Allowable character regex would look like this: a-zA-Z0-9ąčęėįšųūžĄČĘĖĮŠŲŪŽ,\.\s();\- Default value: Payment for order No. {order_nr} on the website {website} |
|||||
time_limit int(7) |
Show description Hide description | ||||
The payment must be completed within a specified time limit, measured in minutes. To learn more about this parameter, please refer to the parameter time_limit section. | |||||
test str(10) |
Read description | Show description Hide description | |||
To utilize this parameter, you need to provide the User Identification Number (User ID in the OPAY system) assigned to the user authorized for testing the provided website. By specifying this parameter, you can conduct data exchange testing with OPAY. Actual payments will not be processed during this testing phase. | |||||
c_email str(100) |
Show description Hide description | ||||
Customer's email address. If you provide it, the Customer won't need to enter their email address again on the OPAY payment page. | |||||
c_mobile_nr str(30) |
Show description Hide description | ||||
Customer's mobile phone number. Provided with an international code, e.g.: +37065912387. If provided, the Customer using mobile wallet won't need to enter their mobile phone number again on the OPAY payment page. | |||||
pass_through_channel_name str(30) |
Show description Hide description | ||||
This directive instructs the OPAY system to bypass the payment selection page and immediately direct the Customer to their chosen payment method, such as banklink_swedbank. To enable this feature, the parameter c_email cannot be left empty. |
|||||
pass_through_only int(1) |
0, 1 | Show description Hide description | |||
This parameter can only be used in conjunction with the pass_through_channel_name parameter. By default, the OPAY system operates in a way that when a payment fails using any of the payment methods, the Customer is redirected to the OPAY payment method selection page rather than back to the Merchant's website. This allows the Customer to choose an alternative payment method or send the payment to another person. When using the pass_through_only parameter with a value of 1 (pass_through_only = 1), you instruct the OPAY system to exclusively use the payment method specified in the pass_through_channel_name parameter. In case of a failed payment, the Customer will no longer be redirected to the OPAY payment method selection page but will be directed back to the Merchant's website at the address specified in the redirect_url parameter. The Customer is returned to the e-store with a message stating Payment Cancelled (status = 3). |
|||||
rsa_signature str(700) |
Show description Hide description | ||||
The signature obtained by signing all the sent data with the RSA private key. This is the recommended signing method by OPAY. The signing methods are agreed upon in the Agreement. | |||||
password_signature str(32) |
Show description Hide description | ||||
The signature is generated by signing all transmitted data with a password. This password is a unique character combination provided by OPAY and specified in the Agreement. It remains known solely to OPAY and the Merchant, serving as the Merchant's signature when signing and as OPAY's verification when checking the Merchant's signature. Similarly, it functions as OPAY's signature when signing and as the Merchant's verification when validating OPAY's signature. The methods of signature generation are mutually agreed upon in the Agreement. |
Parameter data is encoded in UTF-8.
The parameters sent to the Merchant must be combined into a single parameter named encoded. These parameters should be joined into a single line and then encoded using base64. For a more comprehensive understanding, please refer to the section Data Encoding to Prevent Potential Distortions, which helps prevent any potential data distortion.
The OPAY server may resend the same message, so the Merchant must verify whether they have already received such a message before processing it.
In the case of a successful payment (status = 1), the parameter p_token will reflect this status.
If the Merchant receives a duplicate message indicating a successful payment (status = 1), and the order_nr parameter value matches previously received messages, but the p_token parameter value differs, this indicates distinct payments for the same cart of items. The order_nr parameter corresponds to the order/cart number assigned by the Merchant's system.
The Merchant must carefully inspect the value of the status parameter. As new message types (status values) may emerge in the future, the Merchant's server should exclusively respond to messages with known status parameter values.
It is of utmost importance for the Merchant to confirm whether the payment amount and currency match those specified in the request to OPAY. This step is essential due to instances where the Customer might incorrectly input values when using certain payment methods (e.g., Bank Transfer).
The successful payment message sent to the Merchant includes the currency (parameter currency) and amount (parameter amount) that the Merchant sent to OPAY, as well as the currency (parameter p_currency) and amount (parameter p_amount) that the Customer paid. These parameters should be aligned otherwise OPAY will also notify the Merchant via email about it. However, it is crucial for the Merchant's system to independently identify discrepancies and execute appropriate actions.
Once OPAY forwards a response to the Merchant's provided inter-server communication URL (parameter web_service_url), the Merchant's server should respond by acknowledging the receipt. Specifically, the Merchant's system must return the text OK. OPAY does not take into consideration HTTP headers (e.g., Status or Content-Type), but exclusively validates the content to ascertain an OK response. The OPAY server will await this response for a duration of 3 seconds after dispatching the message.
If OPAY does not receive a response or does not receive an OK response after multiple attempts, it will cease sending the message again. This occurs after four consecutive attempts, with the second attempt taking place after 1 minute, the third after 5 minutes, and the fourth after 1 hour.
In the event that OPAY fails to receive the correct response after the fourth attempt, the automated retransmission of the message will cease.
Table No. 2
Description of Received Parameters.
always sent. | |
Sent depending on the data sent by the Merchant or the information provided by the OPAY payment Partner. | |
not sent. |
Parameter Type (Max Length) |
Possible values | When the response parameter status = 1 | When the response parameter status = 0 | When the response parameter status = 2, status = 3 | When the response parameter status = 5 | Show Descriptions Hide descriptions |
---|---|---|---|---|---|---|
status int(1) |
0, 1, 2, 3, 5 | Show description Hide description | ||||
This parameter defines the type of the message. 0– Payment did not occur within the specified time (by the time_limit parameter). The message is sent only to the address specified in the web_service_url parameter (Table No. 1), and only in the case when the time_limit parameter was specified by the Merchant when sending the request to OPAY. 1 – Payment completed successfully. When using standard OPAY functionality, status = 1 is the only type of OPAY message. All other messages are activated additionally with parameters described in Table No. 1. The message is sent when the Customer is redirected to the address specified in the redirect_url (Table No. 1), along with the data passed using the HTTP GET method. The message is also sent repetitively to the address specified in the web_service_url parameter (Table No. 1), along with the data passed using the HTTP POST method. The message that accompanies the Customer (to redirect_url) and the message sent directly to the server (to web_service_url) are asynchronous with respect to each other. This means that one can arrive first or the other can arrive first. The Customer may not arrive with the message at all (to redirect_url) if he closes the browser. However, the message to the server (web_service_url) is always sent. 2 – Payment request created. If the Merchant specifies the value 0 for the redirect_on_success parameter when sending a payment request, the Customer can return with this type of message after completing the payment. In cases where the redirect_on_success parameter is set to 0, OPAY will immediately redirect the Customer to the address specified in the redirect_url parameter without waiting for payment status from the Partner. This message type exists to accommodate certain OPAY Partners (e.g., certain banks) that might not be able to immediately notify the OPAY system after a payment is completed or when the payment is successful. 3 – Payment Cancelled. If the Merchant, when sending a payment request, has set the value 1 for the pass_through_only parameter and all other conditions required for this parameter have been met (correctly specified pass_through_channel_name and c_email), then in the event of payment failure or cancellation using one of the payment methods, the Customer will be redirected back to the Merchant (the Customer is always redirected to the address specified in the redirect_url parameter) with this type of message. 5 - The Customer clicked the Return to Merchant's Website button (Table No. 1, parameter back_url). The Customer is redirected to the address specified in the back_url parameter, along with a message sent via HTTP GET method. |
||||||
website_id str(10) |
Show description Hide description | |||||
The unique code for the Merchant's online store, provided by OPAY and specified in the Agreement signed between the Merchant and OPAY. | ||||||
transaction_id str(10) |
Show description Hide description | |||||
The unique transaction number provided by OPAY, which identifies the transaction created by the Merchant in the OPAY system. This number can be used to access the specific page dedicated to the payment. | ||||||
order_nr str(40) |
Show description Hide description | |||||
The order number generated by the store is presented by the Merchant to facilitate identification. In the OPAY response, this order number allows the Merchant to associate the payment confirmation or notification of a failed payment with the respective order. | ||||||
standard str(9) |
opay_8.1 | Show description Hide description | ||||
Data Exchange Specification Version. Both the Merchant and OPAY systems need to be aware of the version of the specification based on which the data is being sent or received. | ||||||
language str(3) |
LIT | Show description Hide description | ||||
In what language was the OPAY payment page displayed. | ||||||
amount int(10) |
Show description Hide description | |||||
The value of the parameter corresponds to the value sent by the Merchant to OPAY. | ||||||
currency str(3) |
EUR | Show description Hide description | ||||
The value of the parameter corresponds to the value sent by the Merchant to OPAY. | ||||||
test str(10) |
Show description Hide description | |||||
If this parameter is provided, it indicates that this is a test message. A real payment has not been made. The value of the parameter corresponds to the value sent by the Merchant to OPAY. | ||||||
p_token str(100) |
Show description Hide description | |||||
Unique code assigned to the payment. In the event that the same individual initiates the same payment multiple times, all parameter values would remain consistent, except for the value of this parameter, which would differ for each instance. If this parameter's value is recurring, it indicates a repeated message pertaining to the same payment transaction. | ||||||
p_amount int(10) |
Show description Hide description | |||||
The amount in cents that the Customer paid for the payment transaction. | ||||||
p_currency str(3) |
EUR | Show description Hide description | ||||
The currency used by the Customer for the payment of the transaction. | ||||||
p_channel str(30) |
Show description Hide description | |||||
Payment method (Payment service) used for the transaction.. | ||||||
p_bank str(30) |
Show description Hide description | |||||
Systematic name of the OPAY Partner whose services the Customer utilized for the payment. | ||||||
p_local_date_time str(19) |
Show description Hide description | |||||
Local time when OPAY received the payment notification. Time format: YYYY-MM-DD hh:mm:ss | ||||||
p_gmt_date_time str(19) |
Show description Hide description | |||||
The GMT timezone time when OPAY received the payment notification. Time format: YYYY-MM-DD hh:mm:ss | ||||||
c_full_name str(100) |
Show description Hide description | |||||
Customer's first and last name, if provided by the OPAY payment Partner (e.g., a bank) to OPAY. | ||||||
c_account_nr str(50) |
Show description Hide description | |||||
Customer's account number from which the payment was made is provided if the OPAY payment Partner (e.g., a bank) supplies such information to OPAY. | ||||||
c_email str(100) |
Show description Hide description | |||||
Customer's email address. Note: The provided email address may vary from the one submitted by the Merchant to OPAY, as OPAY allows the Customer to modify the email address originally provided by the Merchant. | ||||||
c_mobile_nr str(30) |
Show description Hide description | |||||
Customer's mobile phone number. Note: The provided mobile phone number may differ from the one submitted by the Merchant to OPAY, as OPAY allows the Customer to edit the mobile phone number initially provided by the Merchant. | ||||||
rsa_signature str(700) |
Show description Hide description | |||||
When transmitting a data packet, OPAY signs it in a manner consistent with how the Merchant signed their request when submitting it to OPAY. The specific methods of signing are outlined in the Agreement. | ||||||
password_signature str(32) |
Show description Hide description | |||||
OPAY signs the data packet using the same method that the Merchant used to sign their request when submitting it to OPAY. The signing methods are outlined in the Agreement. |
By default (without using these parameters), the OPAY system will present all the payment methods agreed upon in the OPAY and Merchant Agreement.
Using the show_channels parameter, you can specify the precise payment methods that should be shown to the Customer on the OPAY payment page (payment method names are separated by commas).
With the hide_channels parameter, you can indicate which payment methods should not be displayed to the Customer on the OPAY payment page (payment method names are separated by commas).
The available payment methods in the OPAY system are detailed in the section Names of Systematic Payment Methods. Payment methods are organized into groups, each representing a specific payment method.
For instance, in the case of the payment method group banklink, it can be further divided into individual banks with abbreviations like banklink_swedbank, banklink_seb, banklink_dnb, banklink_danske, banklink_citadele, banklink_sb, banklink_medbank. In the case of banklink payments, you can specify not only the payment method as a group but also individual banks. Each bank within the banklink category is treated as a distinct payment method, so the system distinguishes between banklink and banklink_seb.
To avoid listing all individual banks, you can use banklink as shorthand. However, if needed, you can explicitly list specific individual payment methods like this: banklink_<bank_system_name>, banklink_<bank_system_name>...
The OPAY system follows a specific sequence when processing the parameters show_channels and hide_channels. Firstly, the system examines the value of show_channels to determine the payment methods that should be presented to the Customer. In case no specific values are provided within the show_channels parameter, the system defaults to displaying all the payment methods agreed upon in both the OPAY and Merchant Agreement.
Examples when the payment methods of Online Banking (banklink) and Bank Transfer (banktransfer) are agreed upon in the Agreement between OPAY and the Merchant:
In hide_channels, specific values are set: banklink_swedbank, banklink_seb
In such a case, the OPAY system will exhibit the banktransfer payment method alongside the banklink payment method, excluding SWEDBANK and SEB.
In show_channels, certain values are specified: banklink_swedbank, banklink_seb
Here, only the banklink payment method will be displayed, providing the option to transact using the services of SWEDBANK and SEB banks.
Within hide_channels, the value is defined as: banklink
In this instance, solely the banktransfer payment method will be showcased.
For hide_channels, values are assigned: banklink, banktransfer
This scenario leads to an error since the Merchant requests the system not to display any payment methods. The Merchant will be notified of this situation via email, while all the payment methods agreed upon in both the OPAY and Merchant Agreement will be visible to the Customer.
The parameter time_limit is designed to set a time limit within which a payment must be completed. If the payment is not finalized within this specified time frame, the Merchant's website will automatically receive a notification indicating the unsuccessful payment (status = 0).
In the section titled Minimum Time Required for Payment the table provides the minimum time intervals that can be assigned to specific payment methods.
Taking the Merchant's provided time into consideration, the OPAY system will display to the Customer only those payment methods for which the minimum permissible time in minutes is equal to or less than the time specified by the Merchant.
If a time value smaller than the minimum allowable duration for a specific payment method is provided, the Merchant will be notified of the error via email, while the Customer will be presented with the payment method that has the minimum allowable time (or multiple payment methods with the same minimum time). The time_limit parameter is closely intertwined with the show_channels and hide_channels parameters. Therefore, in this scenario, the system, in its quest for the payment method with the shortest time, will initially verify whether the Merchant has specified preferred payment methods for this transaction using the show_channels and/or hide_channels parameters. If the Merchant has done so, the system will prioritize seeking the payment method with the shortest time from the Merchant's designated options. If the Merchant has not defined such preferences, the system will seek out the payment method from all the stipulated payment methods in both the OPAY and Merchant Agreement.
IMPORTANT!
If a payment occurs after the specified time_limit has expired (for instance, if the Customer is on a bank's website where the OPAY time is not displayed), the Merchant will receive a message about the unsuccessful payment (Table No. 2, status = 0) in the usual manner. Following this, an additional message about the successful payment (Table No. 2, status = 1) will be sent.
Moreover, the Merchant will receive an email notification regarding the payment that took place after the designated time frame. The Customer will also be informed about the delayed payment and will be provided with the option to get in touch with the Merchant. In this scenario, it is up to the Merchant to make decisions regarding further actions concerning the Customer. For instance, the Merchant may suggest an alternative product or initiate a refund.
This table provides the time limits in minutes set for each payment method. These time limits, as specified in the time_limit parameter, ensure that the corresponding payment method is displayed to the Customer.
Systematic Payment Method Name | Time in minutes |
---|---|
banklink | 20 |
banklink_swedbank | 10 |
banklink_seb | 10 |
banklink_dnb | 10 |
banklink_citadele | 20 |
banklink_sb | 10 |
banklink_medbank | 10 |
card | 10 |
cash | 1440 (24 hours) |
cash_perlas | 1440 (24 hours) |
financing | 20 |
financing_gf | 20 |
mobilewallet | 10 |
mobilewallet_moq | 10 |
banktransfer | 1440 (24 hours) |
As the transmitted data contains not only Latin characters but also other characters, it's vital to use the correct character encoding to ensure that the message reaches the recipient without any distortions. The success of delivering the message accurately relies on the Customer‘s internet browser correctly interpreting all symbols. There's a potential risk of data distortion, which could lead to the entire data packet being perceived as incorrect (not matching the digital signature). The level of browser sophistication directly correlates with the probability of errors occurring.
We handle this situation in the following manner:
We encode the data to be sent using the base64 encoding method.
We are compiling a complete data package intended to be sent to OPAY. Let's consider this as an associative array where the index denotes the parameter name and the value represents the parameter value. We convert this array into a URL-encoded string following the RFC 1738 standard. Subsequently, we transform the URL-encoded string into a base64-encoded string. Lastly, we manipulate the characters within the resulting string:
We decode the obtained data.
When decoding the value of the encoded parameter, we carry out the reverse steps compared to the encoding process.
When exchanging data, we use two methods of signing, either:
Symmetric signing, where both parties use the same password for signing and verification.
Example of the signing password:
33cec89hjab1d77b10d21fba67528g5h
Asymmetric signing, where parties generate private keys, use them to generate SSL certificates, and exchange these certificates. They use private keys for data signing and the Partner's certificate for signature verification (after receiving data from the Partner).
Example of an SSL certificate:
Before signing data or before verifying the authenticity of signed data, it is crucial to maintain a consistent order of combining parameters into a unified string.
The parameters (data) that you send to or receive from OPAY will be arranged in the order determined by the sending party. Here's an example in PHP language if you were to prepare to send a request with three parameters:
When sending these parameters using the HTTP POST method, they could be combined into a string like this (the order of parameter arrangement is not important):
When signing parameters or verifying their signature, the parameters should also be concatenated into a single string, but in a different way than in an HTTP POST parameter string. There is no equal sign (=) between the parameter name and its value, and the parameters are not separated by an ampersand (&) symbol. Parameter names are combined with their values into a single long word - string. Special and non-ASCII characters in this string are not replaced with their equivalents (as done in URL encoding), unlike in an HTTP POST string.
Example of the string:
IMPORTANT! The sequence of parameters in the line used for signing or verifying the signature must precisely match the order of parameters in the sent parameter string. This means that the arrangement of parameters in the string used for signing or verifying the signature must mirror the arrangement of parameters in the sent or received parameter string.
Signing
When signing parameters, a signing string must be generated from all the prepared parameters for transmission (excluding the parameters password_signature and rsa_signature).
For symmetric signing, the signing process involves combining the signing string and the signing password into a single line, which is then hashed using the md5 algorithm.
The acquired symmetric signature is included as the password_signature parameter among the prepared parameters intended for transmission to OPAY. It is recommended that before sending the prepared parameters to OPAY, the parameters should also be encoded and sent as a single encoded parameter (refer to the section Data Encoding to Prevent Potential Distortions).
Signature Verification
The signature is verified by forming a signature verification line from all received parameters (excluding the parameters password_signature and rsa_signature). OPAY sends the parameters encoded into a single parameter called encoded, so to obtain the desired parameters, the value of the encoded parameter needs to be decoded (Refer to the section Data Encoding to Prevent Potential Distortions).
We sign the signature verification line, and then compare the obtained result with the value of the received parameter password_signature. If the values match, authentication is successful.
Generation of Private Key and SSL Certificate
To generate these keys, OPAY suggests using OpenSSL software (https://www.openssl.org/).
The private key is generated using the command line by entering the command:
In the current directory, a text file named privkey.pem will be generated, containing the private key. The number 2048 in the command signifies the length of the key in bits. According to security requirements in effect today, this is the shortest recommended key length.
An SSL certificate is generated by executing the following command at the command line:
In the command, the filename of the private key file privkey.pem is specified. Also, the name of the text file where the SSL certificate should be created and written to cacert.pem is indicated. The number 3650 signifies the number of days the certificate should be valid from its generation. After this period, a new certificate should be generated and provided to OPAY. Once the certificate expires, the OPAY system will continue to validate the requests sent by the Merchant with the expired certificate. The expiration of the certificate does not have any technical impact. The decision of setting the certificate's validity period and when to renew the certificate is made by the Merchant.
When entering the command for SSL certificate generation, you will be prompted to provide your company's details. For example:
Signing
When signing parameters, a signing string needs to be formed by taking all the prepared sending parameters (excluding the parameters password_signature and rsa_signature) and signing it.
Received asymmetric signature is added as the rsa_signature parameter to the prepared sending parameters that are sent to OPAY. It is preferable that before sending the prepared parameters to OPAY, the parameters are encoded and sent as a single encoded parameter (refer to the section Data Encoding to Prevent Potential Distortions).
Signature Verification
The signature is verified from all received parameters (excluding parameters password_signature and rsa_signature) by forming a line intended for signature verification. OPAY sends the parameters encoded into a single parameter called encoded, therefore, to retrieve the desired parameters, the encoded parameter value needs to be decoded (Refer to the section Data Encoding to Prevent Potential Distortions).