# Signature SNAP

Standar Nasional Open API Pembayaran(SNAP) or national standard of open API is a standard of online payment API that is made by Bank Indonesia(BI). Signature SNAP used for integrity checking and non-repudiation, it also used to authenticate and authorize the request of API services.

## Generate Signature SNAP

To generate Signature SNAP you can use this format:

<table data-header-hidden><thead><tr><th width="214"></th><th></th></tr></thead><tbody><tr><td><strong>Signature type used</strong></td><td>Asymetric-Signature</td></tr><tr><td><strong>Format</strong></td><td><code>SHA256withRSA (Private_Key, stringToSign)</code></td></tr></tbody></table>

#### Generate Signature Parameters

<table><thead><tr><th width="192">Parameter</th><th>Description</th></tr></thead><tbody><tr><td>Private_Key</td><td>A key used for authenticating the request (Generated by merchant)</td></tr><tr><td>stringToSign</td><td><p>To create a string that will be used to generate a signature.<br></p><p><strong>Formula:</strong> HTTPMethod+”:“+EndpointUrl+":“+Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":“ + TimeStamp</p></td></tr><tr><td>HTTPMethod</td><td>POST / DELETE / PUT (based on service API)</td></tr><tr><td>EndpointURL</td><td>Complete the Endpoint URL including all related URL parameters (Relative path, example: Path in the general information of each API service)<br><strong>Sample:</strong><br><strong>SNAP Virtual Account:</strong> /v1.0/transfer-va/create-va<br><strong>SNAP Direct Debit:</strong> /v1.0/debit/payment-host-to-host<br><strong>SNAP QRIS:</strong> /v1.0/qr/qr-mpm-generate<br><strong>SNAP Disbursement:</strong> /account/v1.0/account-inquiry-external</td></tr><tr><td>RequestBody</td><td>Data that send to API services</td></tr><tr><td>TimeStamp</td><td><p>Timestamp request sent</p><p><strong>Format:</strong> datetime ISO 8601</p><p><strong>(sample: 2022-12-12T16:00:00+07:00)</strong></p></td></tr></tbody></table>

You can get a signature by following these steps:

1. By using `stringToSign` a string will be created, the string used for generating a signature.
2. Signature will be generated using algorithm `SHA256withRSA` with string that has been created, and the private key that owns by merchant.
3. Next, the signature will be encoded by `base64_encode`.
4. A signature that has been encoded now can be used as the value for `X-SIGNATURE` on the request header of SNAP API services.

<details>

<summary>Sample Code Generate Signature</summary>

```json
public function generateSignature($data){
        $stringToSign = $data['method'].":".$data['endpoint'].":".hash('sha256', $data['body']).":".$data['timestamp'];
 
        $prv_data = file_get_contents("private.key");
        $private_key = openssl_get_privatekey($prv_data);
 
        $signature = "";
 
        openssl_sign($stringToSign, $signature, $private_key, OPENSSL_ALGO_SHA256);
 
        return base64_encode($signature);
    }
```

</details>

### Signature Request Sample

<table data-header-hidden><thead><tr><th width="179"></th><th></th></tr></thead><tbody><tr><td>API Service</td><td>Create VA</td></tr><tr><td>Method</td><td>POST</td></tr><tr><td>Endpoint URL</td><td>/v1.0/transfer-va/create-va</td></tr><tr><td>Request Body</td><td><p>{</p><p>    "virtualAccountName": "Jokul Doe",</p><p>    "virtualAccountEmail": "jokul@email.com",</p><p>    "virtualAccountPhone": "6281828384858",</p><p>    "trxId": "abcdefgh1234",</p><p>    "totalAmount":</p><p>    {</p><p>        "value": "12345678.00",</p><p>        "currency": "IDR"</p><p>    },</p><p>    "expiredDate": "2020-12-31T23:59:59-07:00",</p><p>    "additionalInfo":</p><p>    {</p><p>        "billDate": "2020-12-31T23:59:59-07:00",</p><p>        "channelCode": "402",</p><p>        "billDescription": "Maintenance"</p><p>    }</p><p>}</p></td></tr><tr><td>Request Body (hashed with SHA256 algorithm)</td><td>f7e939e8227670a065e4a6f99b42346bfa20724a8e3c775be93b57c95c954dfd</td></tr><tr><td>Timestamp</td><td>2022-12-12T16:00:00+07:00</td></tr><tr><td>String to Sign for Generating Signature</td><td>POST:/v1.0/transfer-va/create-va:f7e939e8227670a065e4a6f99b42346bfa20724a8e3c775be93b57c95c954dfd:2022-12-12T16:00:00+07:00</td></tr><tr><td>Private Key</td><td>IIJKgIBAAKCAgEAvMf/FcbYqDVzWuxNnhf4Agg15+66+rfnVWZJZZvHkz9RPkYR/D3dtbeqfKhK6JnlqUaQDMIV2bUULB33vsjCDjYqv+bH8cISHCAU62VU3m4a0pLdAJH6uzz3Ebj+nCNDFzEkQZ/51DzrqqAuZ2EnkW2aYht5DCRjiYqrtHoabsEZh+uGGwQK7gT/cNT/wVMgYWY2NZSeBeWvn/8FBVQnAxEAzH1c2lq1Wrrxk5m6Fbxj5Gaovlfzr1Ijh77FB+0YIiD5RmuucaOmTHOq/7UofEburu1xqFY3XaTSNmAiG5Udp/ntt7H3ZqyRpMwAZyo9RApwMbVh1Z+SfJbzHCoqi6Ex7+jFnxDHs+/JxTRsCtHNT3pzrYjq4gl0ot8+SJXKqvtnT0A0W8BIMbzlP9nUKEa9SD4zF1hnbP4hhYXUMaWEi/PUCYGJQMZcPsnXnoJVCEarg5Ni1QTHky5nkbWFsLbiZZiR87ImLt3nWOUyJD6VolCvU5m8EANx9JFqFWEF9BNcr/ZJeoEj8TyPK3RTlsAFJ7+asDWSAW9xsb9mcu4hviQfD/eECDibZBnTogWS1uyDZrKM6e/UTbCA8LyvgMej2NRfC+XYT7W2ul24f7NrMyzGDoHZaLmzoxqeq8NSvtssxr1jkiqLl6TqLMs0zse7yH+idgmfhLnQ2rZPmNUCAwEAAQKCAgEAmVSf3SIq60SusxTnXhb9uzjL/9upRuaEIJr51muWyARPipMDHKtrHqNU9/cBELefD8ReT958PN2Uyth0VyNcaoqYYlGh6LzGVM3B8AfXzOoFIy9iDYqD6fx0eJKXSl5hqb6iQiMbmcT5bRa5WgJRTw+Eq1bBFJmhtx9Io0fhnD9+6yTjQaIg9n5cs1pteKp5zGJmeVKCnyuVYBCUFWXqYdU3nt/bwQaX8l+Qw1/DAtCHGgY/3Io3RRkj/qd2BSAPz/iUPxxLDcXr1oDETPjpLze1uaLmA+IzCf5LNxsR2PFeqwaWi/MijORxTzbaxPBL3q3TvqwiEI6RPlykjSW6c1LKG565q58F6H7jr8A0UPINRDTRbtx8Hc5YhPFTgL7HB8sIqYTBXV1n2qCBdhD4oCMz4+dCmrydZQFFJZti6LmKZtY/6TyP8TX0GrCV1osxywD6qJGpjorI7Yse1edBbBtqLwfyyO3xs3j+DCvMxZmsuly0LNECK4CakLiojPm7pRyw2J/B91ZG+vvD+13orryaWwaiT/Row2MSEUAeOoCwxGIB9c2eFW2UCuZ6GoX9iu15r6BV3+U+1rY6NBPKndZETZozyMTAPbp30RDTRR0qdoLYqwsOctgMsmUoFf9jBccLX2nCBBOaRglvPpDCP+/OcdLbzno5dP4pGfc7z+kCggEBAPkktZ8Xcr8qv0jjylMsBxc2pxfKt9fhlboa2huPjk3v/v+D4RhMzDRX+mr6X4ReNEB9Px+BQKsKosfBMwY6HK5lbMqmuLFKaoQ5NtEAkGyoac8JhWijkJazlycC1Amf9GFmGm9W5GZ7wBaxe6YXwCj1sKJWuDZ0bb8qqdNgZw4xTZQVkyWJed2zhnNQB+hB2M1XLF+wnVgw8lfD9pQAqHo1a25tVa5CFH+6H1uVj5fX8Z4NdGmlh07Aofl0O4inAv5Dx6Ijyvd5D6cjo4ZSElGJDSx4a4F59yB/DAl6uDk0gIj4vnwHZ78j7c+D4g8DkBWixxtRVZwMj3JxVvMl/z8CggEBAMH6BG3XGUe6N8bNcJVqmbD1kEfaxrR0ssjhcHTYlm5Au3+dCdiOYEvTA4WbjHUN/Vr2GfnQe8thsAb8CL18Vy2HXd8IcLdYxRbu55emnDHupmYjWyYXUy7vLCGmi/PKU1yaFwl7AA5fbe2rA32tailLFpmf/7HjYFiy0mq7+74atV2wkKFp8uvMcTK6xXfBJ2j+QsdWTLyTfY3AAUdj7nNyGoEbhiLNiFxQEDQiHYwdcaC8T6IvudYDp+uQIDNz5ROwK/tP3w8W/iMS9ixl/DAqrKzOzlDEkKAzTI/L27nv5S9UhZSpAAqrKzIvNLy/Dwj7Ibk0AS/BYaTp9IKpNusCggEBALco2azf3CfWEVJQxIlosL3MHANNsOIwoZZz7yyb2Q5LBbhrB6yJqQZCN4M2FcqGRvuyGBndN+GGrC0WR6CoUDWVsuk4sEcGYlBaj4YPWB3Joh/m7AEFXmKsHM89MQzyXwLLwVthEgCVsZ39VN3CUC7MkNKH1l2SMqx7fOY81QaGEHZxdf/+lWz7cjiL+YQyBGTRVXnzqXkQYtlK45fi8/kEFLrV/kthoRhViIAX77y9sI91bMPOQS8QRwPRA4Nu5LBwu+7jSW+tvGgvtyQkafsvOlQbI03IkHl/bSX65jyH8IbB96fO+eJ3U3lfh21qPR7q0F2w6bMTONH1qOqQYJkCggEATftgSnQ+Eor3n3G6ACeh7/VY8rouRh/gPEf9eMwV9e8KMeyFJ81dQz5q3QzCs9BS+X2Uxcyd6A62wKgUL3FMbt5Ly71N6zfBzE1xR5NQmfZSaR9vpmmcJHM8r66P9wtw5fqApmwPgre0ruageab81er9A/fByNcbRa1mUEiQlUWRgj/YdTvt0AQZwgY6GsHJQTluyUqVgP5ebF0zZmrzUvAdXageDeHJHyuEyCCq9khkBPWPoilDsZk4qcgAWg8OmhKqK9dZWmyo8JrP4tuBPi/5yWM+qFPNvMnCztBq3l5mKdf19+TVQnS74en+bp70wWyMizMwAu3gfncbuGekzwKCAQEAySH0A5QYWNSSW7OlKd2Ab18HTHWFIma0gRPfexd4wqLPX264dVEdxHwwBf41gE7/Dm6K/SUWTMGWvIYHWv8vZY1gH9bzePuQxR6G1C/64bQ9+VIP2PQWdK3eZkA9dYNlAXVpI0yKJ/OwvfFGJ3eV7ZhoCfnb5cTo/+ZZYuMXvl4BOaPGXJuDlZ2e2Xr4eJa7VLaChBou+a6laoETU9+UC2ItIDENJQQTeQaCcEH00okQHu8DcISus0rnNUtJZt9U8rlnrb7NKKlti+UcNayawphXtqX7Taw3Kg3S6H1737ohnPikyMPN0qaA+ptxGdYIs6wPLmDTvW2kT1jJiSvtDQ==</td></tr><tr><td>Generated Signature using Private Key with SHA256RSA &#x26; Encode with base64 (X-SIGNATURE):</td><td>nDbaEgmkto+t9zyADVFwTmnKICKENHg/+dtGAUyoxoZr0pHBZ3KC4JrLCrXtqRqf2FbsTK2kUBlCfRjTkJ0rZ+KCPdJ/J4GszU71vf3G7Iip6nPUhG/Cxsj2dXbEojhHvBSp+gYGugTGiMbEZ4VhVLUFGMKFoi87mGRruuJdX/FXdWMd0b5+yPfthmdOTbULNzhjVNZMDCGmhQ722ua8pS5IVSZE92h0qPA352vLef/4Sbmaljxs/QyIZG7S264xnMhQ+GN4M1Gn/x32ZAqQsRA+6CoK0F1sQlwl4S1eskjoksvxbDnTWViVVWIhPylb+7bMsYT3NYxhVLnbWIQ8Y7HV4VHScyG6IOILKtvoOqY5z1w5rSSTJub3ZolJz/7jpe+/BjozkEYiiG7jn6bD/T5HWMKuub56HGP5/mbKXSVtgfA8QzlCH7574mD+xK/bteT1LPBRsQXUpiuCNCmCx4Et6ln0lJPb52PyOMP0op96OJT6636gqZci/N+j2XpovR4HAIdw5chjBY28MmYg4CBjcoXLcYcA6YSVIRQ3/iIS+uG/dfHsrxIjWxtFuDrOyPrdvhQg0BL+vF5CfKbDKs/o/3fanPGlyEyjV3Ca9/goK4SCZ3KDTmSEhPLZ9F3fMAuL6ufGQL1ZinlWuynqegDacfr1GZRcUVBSLaZI0dg=</td></tr></tbody></table>

## SNAP API Service - Sample Request

This is the sample of Create VA request using the signature that has been generated. Details of SNAP create VA can be seen [here](https://docs.faspay.co.id/merchant-integration/api-reference-1/snap/snap-virtual-account#create-virtual-account-va).

#### Request Header

<details>

<summary>Sample Request Header SNAP Create VA</summary>

```json
X-TIMESTAMP: 2022-12-12T16:00:00+07:00
X-SIGNATURE: nDbaEgmkto+t9zyADVFwTmnKICKENHg/+dtGAUyoxoZr0pHDZ3KC4JrLCrXtqRqf2FbsTK2kUBlCfRjTkJ0rZ+KCPdJ/J4GszU71vf3G7Iip6nPUhG/Cxsj2dXbEojhHvBSp+gYGugTGiMbEZ4VhVLUFGMKFoi87mGRruuJdX/FXdWMd0b5+yPfthmdOTbULNzhjVNZMDCGmhQ722ua8pS5IVSZE92h0qPA352vLef/4Sbmaljxs/QyIZG7S264xnMhQ+GN4M1Gn/x32ZAqQsRA+6CoK0F1sQlwl4S1eskjoksvxbDnTWViVVWIhPylb+7bMsYT3NYxhVLnbWIQ8Y7HV4VHScyG6IOILKtvoOqY5z1w5rSSTJub3ZolJz/7jpe+/BjozkEYiiG7jn6bD/T5HWMKuub56HGP5/mbKXSVtgfA8QzlCH7574mD+xK/bteT1LPBRsQXUpiuCNCmCx4Et6ln0lJPb52PyOMP0op96OJT6636gqZci/N+j2XpovR4HAIdw5chjBY28MmYg4CBjcoXLcYcA6YSVIRQ3/iIS+uG/dfHsrxIjWxtFuDrOyPrdvhQg0BL+vF5CfKbDKs/o/3fanPGlyEyjV3Ca9/goK4SCZ3KDTmSEhPLZ9F3fMAuL6ufGQL1ZinlWuynqegDacfr1GZRcUVYSLcZI0dg=
X-PARTNER-ID: 12345
X-EXTERNAL-ID: 95184120658180428881231208566
CHANNEL-ID: 77001
```

</details>

#### Request Body

<details>

<summary>Sample Request Body SNAP Create VA</summary>

```json
{
    "virtualAccountName": "Jokul Doe",
    "virtualAccountEmail": "jokul@email.com",
    "virtualAccountPhone": "6281828384858",
    "trxId": "abcdefgh1234",
    "totalAmount":
    {
        "value": "12345678.00",
        "currency": "IDR"
    },
    "expiredDate": "2020-12-31T23:59:59-07:00",
    "additionalInfo":
    {
        "billDate": "2020-12-31T23:59:59-07:00",
        "channelCode": "402",
        "billDescription": "Maintenance"
    }
}
```

</details>

## Verifying Signature SNAP

To validate, the signature that has been generated and sent when request made will be verify by merchant.

#### **Verifying Signature SNAP Parameters**

<table><thead><tr><th width="291">Parameter</th><th>Description</th></tr></thead><tbody><tr><td>X-SIGNATURE_FROM_FASPAY</td><td>The signature used on the SNAP API request</td></tr><tr><td>FASPAY_PUBLIC_KEY</td><td>A key used to verify the signature (generated by Faspay)</td></tr><tr><td>stringToSign</td><td><p>To create a string that will be used to verify signature.<br></p><p><strong>Formula:</strong> </p><p>HTTPMethod+”:“+EndpointUrl+":“+Lowercase(HexEncode(SHA256(minify(RequestBody)))) + ":“ + TimeStamp</p></td></tr><tr><td>HTTPMethod</td><td>POST / DELETE / PUT (based on service API)</td></tr><tr><td>EndpointURL</td><td>Complete the Endpoint URL including all related URL parameters (Relative path, example: Path in the general information of each API service)<br><strong>(sample: /v1.0/transfer-va/create-va)</strong></td></tr><tr><td>RequestBody</td><td>Data that send to API services</td></tr><tr><td>TimeStamp</td><td><p>Timestamp request sent</p><p><strong>Format:</strong> datetime ISO 8601</p><p><strong>(sample: 2022-12-12T16:00:00+07:00)</strong></p></td></tr></tbody></table>

You can verify the signature by following these steps:

1. By using `stringToSign` a string will be created, the string used to verify the signature.
2. Next, the signature will be decoded by `base64_decode`.
3. The decoder result will be verified using algorithm `SHA256`, with string that has been created, and the public key provided by Faspay.
4. Last, it will return 1 if the signature matches, and 0 if it doesn’t matches.

### Verifying Signature Sample

This is a sample to verify the signature that used on VA inquiry. SNAP VA inquiry in details can be seen [here](https://docs.faspay.co.id/merchant-integration/api-reference-1/snap/snap-virtual-account#inquiry).

<table data-header-hidden><thead><tr><th width="206"></th><th></th></tr></thead><tbody><tr><td>SNAP Service</td><td>VA Inquiry</td></tr><tr><td>Method</td><td>POST</td></tr><tr><td>Endpoint URL</td><td>/v1.0/transfer-va/inquiry</td></tr><tr><td>Request Body</td><td><p>{ </p><p>"partnerServiceId": " 88899", </p><p>"customerNo": "12345678901234567890",</p><p>"virtualAccountNo": " 08889912345678901234567890", "inquiryRequestId": "abcdef-123456-abcdef" </p><p>}</p></td></tr><tr><td>Public Key</td><td>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArrb7I5HI84lxKybUDxSXNlj/QmUtM82Uey2Lx6LHkFc4gMFJZkK9eLdETAo2k+Pd9aLxuGWL/CabRczAZHLc/n4Xr9jeThGU9PpFAyJuUrNNsCOaZgF0Hf05iaeE+HL+LkRKMxg3iNUVy8707pHV94B+cYJJVh/eSLYTrZfhN6177F3Ap8r6ApAh1d8DE6Vr2ITKuS5iI1WYjN1jBntaD82+MOt6su5vcQT+iJv0sLiN+eUysi0NDEabA5Z5OQJPuqt2Mbus4q/H4c06unPbZ15jjoO6tjxznFypBUavDBXXGtxeqsBcWL9dJuJE0R0gVnB7UbpgJaaELpK5pqklY1QQaSHi/M850MqGVHGgeHP6KbgZG3/pcozCv75yoau7nYU3gtwbLoBkMrNSbMlhresz7PpBG6oXrln7Zrt311SftzU3mfcyCckoQwytEGlCbx/mcYuLNorWrL0M3mSircODVL5YYfZq6gXGK6EkYivpp/UIJn2JO9/KBo+9DgChwxBYlGWjA/avhEG9qbs26MfGBz55UtlLjgvHtY+nhJN8fZL2OW0t6RsqYUMsmxisFDTROm/6m0ps15+T6eozrPASFyMGldzEnZynKEjW8jxkvICNzPLL6YIQPHgIcaCwaZgkq6PL9pQkCXCn1K7uyaE6A1wTz13KDJYHvsSyxdUCAwEAAQ==</td></tr><tr><td>Request Body (hashed with SHA256 algorithm)</td><td>c17a71cdbe89106d0950aa390cffa746e0f94359010789955779fd5817c8e924</td></tr><tr><td>Timestamp</td><td>2022-12-12T16:00:00+07:00</td></tr><tr><td>String to Sign for Verifiying Signature</td><td>POST:/v1.0/transfer-va/inquiry:c17a71cdbe89106d0950aa390cffa746e0f94359010789955779fd5817c8e924:2022-12-12T16:00:00+07:00</td></tr></tbody></table>