Ensuring Security

Checksum, IP whitelist, ...

Whether opting for a static or dynamic Transaction Completion Notification URL, prioritizing security is key. Unauthorized access to this URL could enable malicious actors to fabricate payment transactions, leading to potential financial loss. To safeguard against such risks, diligently implement the prescribed security measures outlined below for the protection of the Transaction Completion Notification URL.

Make sure your Transaction Completion Notification URL is secure!

Implement Checksum

Codapay's checksum combination is TxnID + API key + OrderId + ResultCode, partners should also need to do the corresponding update after changing the API key.

Using a checksum will help ensure messages are not tampered with. The Checksum string is created using the TxnId, the API key, the OrderID (if any), and the ResultCode:

Step 1

Append the values listed below as a string as follows: “TxnID + API key + OrderId + ResultCode”. For example: TxnId = 3381290433880074215 ApiKey = 5a8ca8f31f19a23c41edd14b29a74fd2 OrderId = 8ae6ffee169b ResultCode = 0

String checksumString = "33812904338800742155a8ca8f31f19a23c41edd14b29a74fd28ae6ffee169b0"

Step 2

Calculate the MD5 hash of the string (checksumString). The MD5 algorithm will return a byte array value.

Step 3

Convert from the byte array value to a hexadecimal string. The result string will be "5cb948816af0b5b61516fd71a17d271b."

For those seeking Checksum validation, generate an MD5-calculated and hexadecimal-converted string. Subsequently, compare this string with the Checksum value specified in the Transaction Completion Notification parameters to ensure data integrity and security.

Implement HTTPS

This will prevent third parties from message eavesdropping.

Filtering Codapay IP

Only if the transaction callback can get through your firewall and send you a transaction completion notification message.

Please ensure Codapay is the only one who can send you transaction completion notification messages by configuring your firewall using Codapay's IP addresses (accessible via Publisher Portal.)

Filtering Merchant IP

This whitelisting is based on rendering on the init interface, and only the IP you whitelisted can request orders. Directions: Publisher Portal -> Integration -> Security -> Codapay Partner Settings -> Action (Edit IP Address)