To enforce the security of our APIs and ensure that funds can only be moved by an authorized entity, IntaSend recommends that transfer APIs must be initiated and signed before processing.
PSD2 standard suggests that payment transactions must be signed and authenticated with at least two steps i.e a password or token, and something that only the merchants know e.g an OTP or a security key.
The following guide breaks down how this should be done and also provide code examples to help you get started.
Note: This procedure is currently mandatory for the Send Money (Disbursement) approval API.
IntaSend recommends that you generate a private key using RSA and a key size of 2048 bits
Generating your private key. This key must never be shared. Must be stored in a secure place and where only your application can access it.
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem
Use the private key to generate its corresponding public key.
openssl pkey -in private-key.pem -out public-key.pem -pubout
Copy the content of public-key.pem for use in the next session i.e adding to a new API device for signature verifications during requests.
Learn how to install OpenSSL in windows here https://tecadmin.net/install-openssl-on-windows/
For Linux systems, most of them come with OpenSSL installed. If none, check this link for installation instructions - https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/
Navigate to the API Devices section under your settings section and add your newly generated public key.
In the diagram below note, the SecretKey is used to sign the message and the Public key is used to verify the message. IntaSend retains the Public key in its database for verification purposes. You must securely store the private key for signing messages e.g nonce when approving transactions with the API.
Below is a list of OpenSSL libraries and code examples for various languages.
import OpenSSLfrom OpenSSL import crypto as OpenSSLCryptodef sign(private_key, message):pkey = OpenSSLCrypto.load_privatekey(OpenSSLCrypto.FILETYPE_PEM, private_key, None)sign = OpenSSL.crypto.sign(pkey, message, "sha256")return sign.hex()def verify(public_key, signature_hex, message):pkey = OpenSSLCrypto.load_publickey(OpenSSLCrypto.FILETYPE_PEM, public_key)x509 = OpenSSLCrypto.X509()x509.set_pubkey(pkey)signed = bytes.fromhex(signature_hex)results = OpenSSL.crypto.verify(x509, signed, message, "sha256")return results