worldline Direct
Sign up

Get started

Security lies at our heart, so we have taken steps to help you to process transactions more safely. To reduce the risk that someone other than you can use your integration, our platform uses security codes linked to your PSPID.

The so-called API Key and API Secret provide a unique signature to the traffic between your system and our platform. You can define these for each of your PSPIDs in the Merchant Portal. Any server-to-server request from your system to our platform (via your PSPID) needs to contain both the API Key and API Secret. Our platform tries to match the codes we receive from you with the ones configured in the Merchant Portal.

Our Server SDKs offer a simple solution for this mechanism, requiring only few lines of coding. If you wish to use your own software, manual implementation is also possible.

Target most up-to-date API base URL

We encourage you to always target the most up-to-date API base URL when sending requests to our platform. Have a look at our dedicated guide for a full overview.

To allow you a smooth transition, previous API base URLs remain available until further notice.

2. Configure API key and API secret

To configure the API Key and API Secret in your PSPID, follow these steps:

  1. Login to the Back Office. Go to Configuration > Technical information > API settings > Direct API Key
  2. If you have not configured anything yet, the screen shows “No api credential found”. To create both API Key and API Secret click on “GENERATE”
The image shows the Back Office message "No api credential found"
  1. The screen now shows both codes in the table in the “Key” / “Secret” column respectively
The image shows the information available in the "API settings" Back Office tab
Make sure to save the API Secret in your system right away, as it will not be visible in the Back Office anymore once you access this menu anew. However, you can look up the API Key anytime
Key The current key configured in this PSPID
Version date The date when the Key/Secret pair was created
Expiration date The date when the Key/Secret pair will expire. Default time of permanency is two years
Status The current status of the API key/secret pair
  • "Active": usable until the date as defined in column “Expiration date”
  • "Expiring": expires after the date as defined in column “Expiration date”

If you wish to use a new API Key and API Secret, follow these steps

  1. Select a period from the drop down menu “leave valid for X hour(s)”. Click on the “RENEW” button. The currently used API Key/Secret pair will expire after the date as defined in “Expiration date”
  2. At the same time, a new API Key/Secret appears in the first line of the table. Make sure to save the API Secret in your system, as it will not be visible in the Back Office anymore once you access this menu anew
  3. To force an immediate expiration of the expiring API Key/Secret, click on “EXPIRE”. Our platform removes the respective API Key/Secret from the table and our platform, making it unusable for requests
Do not click on on “EXPIRE” if you have only one API Key/Secret at the time, as this will make them unusable instantly. Make sure to create a new API Key/Secret pair first before you force the expiration of the currently used pair.

Use API key and API secret with SDKs

Once you have set up your API Key/Secret in the Merchant Portal, you can use them for requests you send to our platform. Our Server SDKs make it really easy to do so.

Have a look at this code sample that demonstrates how to add them in a standard Hosted Checkout Page request:

This authentication mechanism is only applicable to the Server API. The Client API employs a different mechanism.

Authenticate without SDKs

You can use our API without the SDKs by sending requests to our endpoints directly. This requires you to follow a different authentication mechanism.

Essentially, you need

  • To hash with your API Secret over several HTTP headers (the signature contents or signed-data) you send along with your request
  • Send this hash (the signature) together with your API Key to verify the authentication

Have a look at the following chapters to understand how this works and our GET, POST and DELETE examples.

Understand authentication process

A GET/POST/DELETE request following this approach includes the following steps:

  1. Create a string-to-hash, consisting of several HTTP headers
  2. Calculate the hash using the algorithm HMAC-SHA256 with your API Secret
  3. Send the actual request to our platform, including the headers, the hash and your API Key

1. Create string-to-hash

Compose the string-to-hash (the signature contents or signed-data) by following these rules:

Order of the headers

The string-to-hash consists of the following headers, listed in a specific order: 


<HTTP method>
<Content-Type>
<Date>
<CanonicalizedHeaders>
<CanonicalizedResource>

Header Content Conventions

Each header is constructed as follows: 


<lowercased header name>:<header value>;

Apply the following conventions for the content of the headers:

Headers Conventions
<HTTP method> Use either "GET," "POST," or "DELETE" (always in uppercase) depending on the HTTP method used.
<Content-Type> Use the fixed value "application/json; charset=utf-8" for POST requests and use an empty string for GET or DELETE requests.
<Date> Use the "Date" header in RFC1123 format.
<CanonicalizedHeaders> Include custom headers specific to your application, such as X-GCS-ClientMetaInfo.
<CanonicalizedResource> Include the target URI without the HTTP method, and include all decoded query parameters.

Unwrap Header Values

If a header value is wrapped over multiple lines, unwrap each line as described here. Unwrap by replacing a new line or multiple spaces by a single white space.

Have a look at this example:


A very long line<CR><LF>
<SPACE><SPACE><SPACE><SPACE>that does not fit on a single line 

becomes


A very long line that does not fit on a single line

Trim White Spaces

Trim all whitespaces which exist at the start and end of the value.

Have a look at this example:

<space><space><space>Some text<space><space><space>


becomes

Some text

Ensure that each <item> is followed by a new line (line feed), including the last item. 

Have a look at this code sample for a CreateHostedCheckout request:

Although the same rules apply for either HTTP method, you need to take the differences for GET/DELETE requests into account when creating the string-to-hash (I.e. missing content type, addition of query parameters to the request URI).

Have a look at the GET example or the DELETE example in our dedicated chapter to know exactly what you need to do

2. Calculate hash

Once you have created the string-to-hash (the signature contents or signed-data), you need to hash it via the MAC algorithm HMAC-SHA256 with your API Secret.
The result of the hashing is the signature you need to provide in the authorisation header of your request.

Have a look at this code sample:

3. Send request

Finally, you can send your request, including

  • The headers you used for creating the string-to-hash (the signature contents or signed-data)
  • The base64-encoded hash result (the “signature”) and your API Key (which our platform uses to identify your PSPID on our account) in the HTTP header 'Authorization' according to this formula:

    Authorization = "GCS v1HMAC:" + API Key + ":" + signature
  • The JSON-encoded request body for POST requests (GET/DELETE do not require a request body)
    Have a look at this code sample:

Understand string-to-hash examples

As the general requirements for a GET/POST/DELETE request differ, the construction of the string-to-hash does as well.
Have a look at the following examples to learn how to implement them in your system:

1. POST request

The string-to-hash (the signature contents or signed-data) for a CreateHostedCheckout request:


POST
application/json; charset=utf-8
Wed, 02 Mar 2022 11:15:51 GMT
/v2/yourPSPID/hostedcheckouts
Mind that there is a new line (line feed) after the last header (URI resource) which you also need to consider when hashing the string

2. GET request

The string-to-hash (the signature contents or signed-data) for a GetHostedCheckout request:


GET

Wed, 02 Mar 2022 11:15:51 GMT /v2/yourPSPID/hostedcheckouts/yourHostedCheckoutID
Mind that
  • There is an empty string for Content-Type header, as GET request do not have a request body
  • There is a new line (line feed) after the last header (URI resource) 

which you also need to consider when hashing the string

3. DELETE request

The string-to-hash (the signature contents or signed-data) for a DeleteToken request:


DELETE

Wed, 02 Mar 2022 11:15:51 GMT /v2/yourPSPID/tokens/yourTokenID
Mind that
  • There is an empty string for Content-Type header, as DELETE request do not have a request body
  • There is a new line (line feed) after the last header (URI resource) 

which you also need to consider when hashing the string

Was this page helpful?

Do you have any comments?

Thank you for your response.