API Authentication

To interact with the AutoPay API, you must authenticate your requests. This allows us to identify and validate the information so your operations remain secure. The API uses Web Services Security UsernameToken Profile 1.1.

API Credentials

To integrate with AutoPay, you must have the consumer credentials: login and secretKey.

  • login: Site identifier. It can be considered public, as it is sent as plain data in API requests.
  • secretKey: Site secret key. This must remain private. A new tranKey will be generated from this value and sent with each request.

These credentials belong to the site and must be handled securely. Do not share your credentials in public-access areas such as GitHub, client-side code, or other locations easily accessible to third parties.

Authentication Object

The auth parameter must be sent in all API requests and contains the set of properties required to verify authentication.

  • Name
    auth.login
    Type
    string
    is Required
    REQUIRED
    Description

    Site identifier

  • Name
    auth.tranKey
    Type
    string
    is Required
    REQUIRED
    Description

    tranKey credential generated. This is explained in detail below.

  • Name
    auth.nonce
    Type
    string
    is Required
    REQUIRED
    Description

    Random value for each request encoded in Base64.

  • Name
    auth.seed
    Type
    string
    is Required
    REQUIRED
    Description

    Current date, which is generated in ISO 8601 format.

Example Authentication

{
    "auth": {
        "login":"aabbccdd1234567890aabbccdd123456",
        "tranKey":"ABC123example456trankey+789abc012def3456ABC=",
        "nonce":"enQ4dXh3YWhkMWM=",
        "seed":"2023-06-21T09:56:06-05:00"
    },
    ...
}

How to generate your authentication

You must know and prepare the following data:

login: The login credential provided when starting your integration. Site identifier.

secretKey: The secretKey credential provided when starting your integration. Site secret key.

seed: The date when the authentication was generated. The date must be in ISO 8601 format. Example: 2023-06-21T09:56:06-05:00

nonce: An arbitrary value that uniquely identifies a request. It is generated and used for other operations. When sending it, it must be Base64-encoded. Example: base64('927342197')

tranKey: Generated programmatically for each request. It is generated using the following formula: Base64(SHA-256(nonce + seed + secretKey)) This formula must be implemented according to the programming language used.

Generate authentication

$login = "siteLogin";
$secretKey = "siteSecretKey";
$seed = date('c');
$rawNonce = rand();

$tranKey = base64_encode(hash('sha256', $rawNonce.$seed.$secretKey, true));
$nonce = base64_encode($rawNonce);

$body = [
    "auth" => [
        "login" => $login,
        "tranKey" => $tranKey,
        "nonce" => $nonce,
        "seed" => $seed,
    ],
    // ... other params
];