Access Token

For system security purposes, there are two steps you need to fulfillment before sending transaction requests.

Step 1. Fetch random code

At the beginning of the request process, you should fetch a random code from our service.

Request

API URL: /merchant/random_code

Content-Type: application/json

Param	Type	Required	Description
user_id	String	✅	Merchant identification

PHP

function getRandomCode() {

  $url = '/merchant/random_code';
  $params = json_encode(['user_id' => 1]);
  $header = ['Content-Type: application/json'];
  $response = sendRequest($url, $params, $header);
  $response = json_decode($response, true);

  return $response['data']['code'];
}

Java

public static void getRandomCode() throws UnirestException {

  Map<String, String> params = new HashMap<>();
  params.put("user_id", user_id);

  JSONObject jsonObject = new JSONObject();
  SortedSet<String> parameter = new TreeSet<>(params.keySet());
  for (String key : parameter) {
    jsonObject.put(key, params.get(key));
  }

  Unirest.setTimeouts(0, 0);
  HttpResponse<JsonNode> response = Unirest.post("/merchant/random_code")
    .header("Content-Type", "application/json")
    .body(jsonObject.toString())
    .asJson();

  retturn response.getBody().getObject().getJSONObject("data").getString("code");
}

Python

import requests

def getRandomCode(user_id):

  params = {"user_id": user_id}
  response = requests.post(url='/merchant/random_code', json=params)

  if (response.status_code == 200):
    return response.text
  else:
    return None

Response

Param	Type	Required	Description
code	String	✅	The random code to fetch access token. Please note it only alive for 30 seconds

// Example
{
    "code": "1000",
    "message": "Accepted",
    "data": {
        "code": "VL4hrMLmM3THd2iQDNOoa45cGZhx2zH7" // here is the random code
    }
}

Step 2. Get access token

After getting random code, then you need to send second request to get access token which should be put in each transaction request you send to PTS. The access token will keep living until expire time provided in response reached. That means you should cache the access token in your service and do the two steps request again when access token expired.

Note

You should implement some mechanism to keep the access token and detect if it is expired or not before sending your transaction request.

Request

API URL: /merchant/token

Content-Type: application/json

Param	Type	Required	Description
user_id	String	✅	Merchant identification
hash	String	✅	Please follow the tip below to generate.

tip

Please concat random_code + user_id + safecode in given order without any separator or whitespace. Then put the concatenated string into SHA256 hash function to get the hash code.

PHP

function getToken()
{
  global $user_id, $safecode;

  $url = '/merchant/token';
  $params = json_encode([
    'user_id' => $user_id,
    'hash' => hash('SHA256', getRandomCode().$user_id.$safecode)
  ]);
  $header = ['Content-Type: application/json'];
  $response = sendRequest($url, $params, $header);
  $response = json_decode($response, true);

  $data = $response['data'];
  return $data['token_type'].' '.$data['access_token'];
}

Java

public static String getToken() {

  String randomCode = getRandomCode();
  String originalString = randomCode + user_id + safecode;
  String sha256hex = DigestUtils.sha256Hex(originalString);

  try {
    Map<String, String> params = new HashMap<>();
    params.put("user_id", user_id);
    params.put("hash", sha256hex);

    JSONObject jsonObject = new JSONObject();
    SortedSet<String> sortedParams = new TreeSet<>(params.keySet());
    for (String key: sortedParams) {
      jsonObject.put(key, params.get(key));
    }

    Unirest.setTimeouts(0, 0);
    HttpResponse<JsonNode> jsonResponse = Unirest.post("/merchant/token")
      .header("Content-Type", "application/json")
      .body(jsonObject.toString())
      .asJson();

    JSONObject data = jsonResponse.getBody().getObject().getJSONObject("data");
    return data.getString("token_type") + " " + data.getString("access_token");
  } catch (Exception e) {
    e.printStackTrace();
    return "";
  }
}

Python

import hashlib
import requests

def getToken(user_id, random_code, safecode):

  sha256 = hashlib.sha256()
  sha256.update((random_code + user_id + safecode).encode('utf-8'))
  hash = sha256.hexdigest()

  params = {"user_id": user_id, 'hash': hash}
  response = requests.post(url= ('/merchant/token'), json=params)
  if(response.status_code == 200):
    return response.text
  else:
    return None

Response

Param	Type	Required	Description
access_token	Stringr	✅	the token to put into your request header
token_type	String	✅	the type of token
expires_in	Interge	✅	token expire time in second

// Example
{
    "code": "1000",
    "message": "Accepted",
    "data": {
        "access_token": "cyJacasxzxc...",
        "token_type": "bearer",
        "expires_in": 300
    }
}