Payment Signature

In order to ensure payment information has not been in any way modified (examples range from Man in the Middle attacks or modifications to client side code done in browsers). We require the merchant to sign the request using a nonce. This nonce needs to be called for every payment and cannot be reused.

Signing the payment request

This process will be encapsulated in the various SDKs we are planning on releasing. Until then we need merchants to implement this signature server side to ensure their Client Secret ID does not leak and pass it along to the widget-ui.

To initiate a payment the merchant will need to call the endpoint to create a unique signature, this signature is connected to the orderRef property therefor merchants should ensure it is unique per payment.

Once the signature has been received the merchant is should be sent as the paymentSignature property in the widget.

How it works

Once the call is signed we will compare it on Mode to ensure it matches the source, if it doesn't payment initiation is rejected and widget-ui is updated accordingly.

548