Skip to main content

Sign & Verify Request

;TLDR

  1. Download script verify.sh
  2. Download Tokopedia Public Key here
  3. Run script verify <request_body> openapi-pub.txt
  4. Set generated header from script to your request

Guide

Signature are encrypted string that will be use to verify that the private key and public key are match. Private key will generate the signature, and public key will verify the signature. The signature will be sent by webhook OpenAPI using header request TKPD-Signature. Partner should to verify this signature before decrypting the message. Generating signature need algoritm, sender private key and request body as materials. Verifying signature can be done using three materials: algorithm, request body, and sender public key.

Algorithm that we use is RSA PSS Signature with SHA256 then encrypted as base64. Generated signature always unique, even though generated with the similar request body and public key. You can check the script sign.sh and verify.sh for detailed algorithm using openssl.

On development phase, you can try to generate new pair of key for testing sign and verify process. Then you can use that private key to generate signature using this command below:

echo -n '{"fs_id":13000}' | openssl dgst -sign private.pem -sigopt rsa_padding_mode:pss -sha256 | openssl base64 -A

You can create your signature using our downloadable script sign.sh. To generate the signature can use this command:

chmod +x sign.sh
./sign.sh <request_body> <private_key>

Here is the example:

> sudo chmod +x sign.sh
> ./sign.sh `{"fs_id":13000}` private.pem 
TKPD-Signature: ZnNLR51hUyjMtMFCxq2cxGfACZuf4caH5pmoXMDQ7C1bqum1IWtdsmU/DNOHYuH5KAL6b7kCbePo53RdBxqCCx22G483mRHvSUc+2PJERUjTLeHRhdXYymZDhg5bUzn8AlaLGaUmF1cH2SUsgoy6UtuDPepotwzP61XMHc8NRhNkgq5DwJwTGKRtA0PBakrNrcfcwND2Nq3ovnJLe+o6xFH8ypDmLa+l7kzZgG/PthJ8BYsd5B9L/tXknDm8IrQxKmRtF+ME3POViiMCYBUSHB4jpBl94CPqeidNmc2oyAlBy+bXJ5CUIak737RG4QdXnReVRm1Hgckf34TL1tFGnkORf0J8ngrXLNk6u5Kfz1/NcTJKSta8FbmmcAGTNyuKw12zaBsf9iU4YSD/j4Gn9s9CzR0U8GPk948A/vaoBqwjF2pPhfosffqHFl0s2Y2Jn4pYqEp9QyBvHRV/RtrazFIXb8rJ+pQC6dSddqA1XLJkxN7cYo6E/+TQinUKRyvzbY0bw8zXlhH0xfhse8/o2itAUWEfQSW/S4eUnibVG6R83tSoPRxRFxNxBXJU5yayipjoHb61jdGCSs2N7np2ncySd6YxN40xkjBww8WgO+Mf+S93TmWcZRIeZ6YaUJUK5U80ZZOnwb3GgmRwlimV2wfmeJmSqp9JBxcl

The steps to verify the signature:

  1. Decode signature from base64 to bytes
  2. Hash body request using SHA256
  3. Verify with RSA PSS algorithm using materials: public key sender, hash function (SHA256), hashed body request, and decrypted signature

You can try to verify the signature using our downloadable script verify.sh. Make sure the openssl version is 1.1.1 or newer. To verify the signature can use this command:

chmod +x verify.sh
./verify.sh <request_body> <public_key> <signature>

Here is the example:

> sudo chmod +x verify.sh
> ./verify.sh '{"fs_id":13000}' public.pub ZnNLR51hUyjMtMFCxq2cxGfACZuf4caH5pmoXMDQ7C1bqum1IWtdsmU/DNOHYuH5KAL6b7kCbePo53RdBxqCCx22G483mRHvSUc+2PJERUjTLeHRhdXYymZDhg5bUzn8AlaLGaUmF1cH2SUsgoy6UtuDPepotwzP61XMHc8NRhNkgq5DwJwTGKRtA0PBakrNrcfcwND2Nq3ovnJLe+o6xFH8ypDmLa+l7kzZgG/PthJ8BYsd5B9L/tXknDm8IrQxKmRtF+ME3POViiMCYBUSHB4jpBl94CPqeidNmc2oyAlBy+bXJ5CUIak737RG4QdXnReVRm1Hgckf34TL1tFGnkORf0J8ngrXLNk6u5Kfz1/NcTJKSta8FbmmcAGTNyuKw12zaBsf9iU4YSD/j4Gn9s9CzR0U8GPk948A/vaoBqwjF2pPhfosffqHFl0s2Y2Jn4pYqEp9QyBvHRV/RtrazFIXb8rJ+pQC6dSddqA1XLJkxN7cYo6E/+TQinUKRyvzbY0bw8zXlhH0xfhse8/o2itAUWEfQSW/S4eUnibVG6R83tSoPRxRFxNxBXJU5yayipjoHb61jdGCSs2N7np2ncySd6YxN40xkjBww8WgO+Mf+S93TmWcZRIeZ6YaUJUK5U80ZZOnwb3GgmRwlimV2wfmeJmSqp9JBxcl
Verified OK

Have a feedback?