Authentication

To interact with the Checkout API you must authenticate your requests, in this way we identify and validate the information so that your operations are safe. The API uses Web Services Security UsernameToken Profile 1.1.

API credentials

To integrate with Checkout you must have your login and secretKey credentials.

  • login: Site identifier, can be considered public as it travels as plain data in API requests.
  • secretKey: Secret key of the site, it must be private, from this data a new tranKey will be generated that will be sent in the requests.

These credentials are unique to your site and must be treated securely. Do not share your credentials in publicly accessible areas such as Github, client-side code, or other places easily accessible to third parties.

Authentication object

The auth parameter must be sent in all API requests and contains the set of properties needed to verify authentication..

  • Name
    auth.login
    Type
    string
    is Required
    REQUIRED
    Description

    Site identifier

  • Name
    auth.tranKey
    Type
    string
    is Required
    REQUIRED
    Description

    Generated tranKey credential. It is explained in detail below.

  • Name
    auth.nonce
    Type
    string
    is Required
    REQUIRED
    Description

    Random value for each Base64 encoded request.

  • Name
    auth.seed
    Type
    string
    is Required
    REQUIRED
    Description

    Current date, which is generated in ISO 8601 format.

Sample Authentication

{    
  "auth": {
    "login":"1441d14df19ec88431e513bb990326e1",
    "tranKey":"DGYymv6ohpYwtLWon/iADE/COoo9JXt4jqyk6D006PY=",
    "nonce":"enQ4dXh3YWhkMWM=",
    "seed":"2023-06-21T09:56:06-05:00"
  },
  ...
}

How to generate your authentication

You must know and prepare the following information:

login: login credential provided when starting your integration. site identifier.

secretKey: secretKey credential provided when starting your integration. site secret key.

seed: This is the date the authentication was generated. Date must be in ISO 8601 format.
Example: 2023-06-21T09:56:06-05:00

nonce: Arbitrary value that identifies a request as unique.
It is generated and used for other operations.
When sending it, it must be base64 encoded.
Example: base64('927342197')

tranKey: Generated on every request programmatically.
It is generated with the following formulas Base64(SHA-256(nonce + seed + secretKey)) this formula must be translated according to the programming language used.

Generate authentication

$login = "siteLogin";
$secretKey = "siteSecretKey";
$seed = date('c');
$rawNonce = rand();

$tranKey = base64_encode(hash('sha256', $rawNonce.$seed.$secretKey, true));
$nonce = base64_encode($rawNonce);

$body = [
  "auth" => [
    "login" => $login,
    "tranKey" => $tranKey,
    "nonce" => $nonce,
    "seed" => $seed,
  ],
  // ... other params
];

Possible errors

Code
Reason
100
UsernameToken no proporcionado (Encabezado de la autorización mal formado).
101
Site identifier does not exist (Wrong login or not found in the environment).
102
TranKey hash does not match (wrong or malformed Trankey).
103
Seed date greater than 5 minutes.
104
Inactive site.
105
Expired site.
106
Expired credentials.
107
Bad definition of the UsernameToken (Does not comply with the WSSE header).
200
Skip SOAP authentication header.
10001
Contact Support.

Frequent errors

Error message "Malformed authentication":
It occurs when the system does not detect that login, tranKey, seed or nonce is being sent in the auth structure sent, it can also occur if these data are sent but incorrectly, that is, without the content-type parameter "application/json" so the server interprets the request as text instead of an array of data. You can validate this by making the request to the URL https://dnetix.co/p2p/client and capturing the response, it is a kind of mirror of the request that will allow you to check the parameters and the body of the message.

Error connecting to service with message ERROR: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake:
Your servers require TLSv1.2 to receive the request, due to the PCI standard. Please check the encryption and protocol used to connect to the server. If you use Java, keep in mind that only versions after 8 are fully supported.

SoapFault responds with the message "Authentication Failed 103":
In the authentication process, Placetopay checks the Created field, this field must be in GMT time or local time using the zone time. If you get this response, it is because your time is not accurate to real time. We only allow 5 minutes difference between times. You can use NTP to keep the clock accurate.

Giving the EXACT same values as the examples above to BASE64(SHA256($Nonce + $Created . $secretKey)) I am getting a different password digest.:
Keep in mind that BASE64 should be for the raw output of SHA256 and according to all programming languages it may be required to set this option, for example. In PHP base64_encode(hash('sha256' … , true)) this parameter would return the raw output for the SHA256 algorithm