API signature

1. Sign with appSecret

Step 1: Put all request parameters into an Array，and sort by keys follow the rules below：

1）If the array index is number，sort all values and concatenate the sorted values into a string.

2）If the array index is string，sort the array by key and then concatenate the sorted values into a string.

3）If a value in the array is an array, recursively concatenate its values into a string base on above two rules.

Step 2: Concatenate the sorted value string and GMT formatted time string (eg. Tue, 16 Jun 2020 06:17:42 GMT) as rawString.

Step 3: Calculate the signature by hash_hmac with sha256 algorithm, taking rawString as data and developer appSecret as key，get the raw binary output and encode it with base64, and you got the signature.

Example（Reseller Fetch PIN）：

Reseller Developer AppId and AppSecret：

AppId:"gIoyQaKZ1zIQqBVlzR_BxrJ4"
AppSecret : "yelyHt6Y0jRkeXwFDiMmA-APSWj88eELzkvIxN6ZS1MHgWET"

API Request parameters：

{
  product_id:"2",
  quantity:"2",
  out_trade_id:"2019298869",
  random_key:"TMlPoZNabvAUZfB1"
}

Sort the array by key(array index is string)：

{
    out_trade_id:"2019298869",
    product_id:"2",
    quantity:"2",
    random_key:"TMlPoZNabvAUZfB1"
}

Concatenate the sorted values into a string，and concatenate it with GMT format time string，then we got the rawString as below:

rawString = "201929886922TMlPoZNabvAUZfB1Tue, 16 Jun 2020 06:17:42 GMT"

Calculate the signature with hash_hmac, Notice that the hash_hmac outputs is raw binary data, which was determined by the 4th parameter true, encode the raw binary data and get the signature string:

base64_encode(hash_hmac('sha256', rawString, AppSecret, true))

Signature：

signature = "pPlTUC9kXco3nLw27W+pH9rRWzvXdZdL2F7XyLHnfKw="

2.Sign with openssl_sign + rsa

The algorithm uses asymmetric encryption，it's safer than signature with appSecret. To use openssl signature, developer need to create a pair of rsa certificate and send the public key certificate to HitPoints. After HitPoints received the public key，HitPoints will send back the public key of HitPoints server. When developer request HitPoints API, sign request data with the developer own private key certificate, the HitPoints API will validate the request with the public key certificate provided by the developer. When HitPoints response the developer's request signed with rsa private key certificate, HitPoints will make response data signature with HitPoints' rsa private key certificate.

Step 1： refer to the sign with appSecret to get rawString.

Step 2: generate openssl signature, take the rawString as data and developer's private key as key, signature algorithm is OPENSSL_ALGO_SHA1。

3.Signature Online Test

HitPoints provided the online test tool for developers to check the sign result. Web：Signature Online Test

4.IP whitelist

If developer defined the IP whitelist，HitPoints will check the REMOTE ADDR of the request from developer's appId and refuse the request if REMOTE ADDR is not in IP whitelist.