OPay Payment Authentication
OPay payment flow was designed to guarantee the security and authenticity of our merchant transactions. OPay APIs use the state of the art cryptographic primitives to maintain the highest level of authentication and fraud prevention. OPay APIs are secured using API keys which will be generated automatically for you upon creation of your merchant account. Depending on the type of your API call, one of the following two authentication schemes MUST be applied:
- Public Key Authentication: Used for payment creation API (Cashier Create Payment).
- Signature Authentication: used for other payment related APIs (Cashier Payment Status , Cashier Refund, Cashier Payment Close).
API Keys
OPay APIs use API keys to authenticate all API requests. Upon creating your merchant account, your API keys shall auto generated for you. You can find API keys under API Keys & Webhooks section of your OPay merchant's dashboard.
Two API Keys are generated:
- Secret Key: used to sign the create payment APIs (Cashier Payment , Transaction Payment). Header: Bearer Signature and merchant ID
- Public Key: used as authorization key in the header of your other OPay payment related APIs. Header: Bearer Public Key and merchant ID
Authorization: Bearer {signature}
MerchantId : 256612345678901
Authorization: Bearer {PublicKey}
MerchantId : 256612345678901
Public Key Authentication
Your public key should be used for authorization header of the following API calls:
The authorization header of these requests should contain your Public Key and merchant ID.
Authorization: Bearer {PublicKey}
MerchantId : 256612345678901
Signature Authentication
Signature authentication ensures the highest level of security for your payment creation requests. Not only does it provide a secure authentication mechanism, but also it ensures the integrity of your request payload, that is the content of your request payload has not been altered since it was transmitted from your side. OPay signatures are calculated using HMAC-SH512 applied to payload and signed with your secret key.
Your public key should be used for authorization header of the following API calls:
- Cashier Payment Status
- Cashier Payment Refund
- Cashier Refund Status
- Cashier Payment Reversal
- Cashier Reversal Status
The authorization header of these requests should contain your HMAC-SHA512 signature of your payload signed using your secret key and merchant ID.
Authorization: Bearer {signature}
MerchantId : 256612345678901