Signature Algorithm

note

Signature algorithm is used to sign your payment API request with a private key to obtain additional security.

important

Data object needs to be sorted, the Nested object also needs to be sorted.

Step 1 : Prepare a Request Paramater#

Method : POST

note

Refer to which API endpoint your are calling , below request parameter is just an EXAMPLE

Example of Web/Mobile Payment#

Parameter	Type	Required	Description	Example
`order`	Object	Yes	Object of order	(Refer to explanation below)
`customer`	Object	Yes	Object of customer	(Refer to explanation below)
`method`	[]String	Yes	RM currently supported method	[]
`type`	String	Yes	Object of type	(Refer to explanation below)
`storeId`	String	Yes	ID of the store to create QR code	"10946114768247530"
`redirectUrl`	String	Yes	URL to redirect after payment is made	"https://google.com"
`notifyUrl`	String	Yes	Example of Notify URL Response	"https://google.com"
`layoutVersion`	String	Optional	Select layout for Web payment	v1 / v2 (Supported Credit Card) / v3 (Supported Credit Card and FPX)

Order object (order):

Parameter	Type	Required	Description	Example
`title`	String	Yes	Order title, max: 32	"Sales"
`detail`	String	Yes	Order detail, max: 600	"1 x iPhone X; 2 x SAMSUNG S8"
`additionalData`	String	Yes	Order description	"Sales"
`amount`	Uint	Yes	Amount of order in cent. Only required when "isPrefillAmount" = true. (min RM 0.10 or amount: 10)	100
`currencyType`	String	Yes	Currency notation (currently only support `MYR`)	"MYR"
`id`	String	Order ID	"6170506694335521334"

Customer object (customer):

Parameter	Type	Required	Description	Example
`userId`	String	Yes	if tokenization enable need userId	"13245876"
`email`	String	Optional	Customer Email	""
`countryCode`	String	Optional	Customer Country Code	""
`phoneNumber`	String	Optional	Customer Phone Number	""

Type Object (type):

Parameter	Type	Required	Example
`type`	String	Yes	"WEB_PAYMENT"
`type`	String	Yes	"MOBILE_PAYMENT"

Example Request

{
  "order": {
    "title": "hello",
    "detail": "",
    "additionalData": "world",
    "amount": 10,
    "currencyType": "MYR",
    "id": "7211"
  },
  "customer": {
    "userId": "13245876",
    "email": ""
  },
  "method": [],
  "type": "WEB_PAYMENT",
  "storeId": "1608123035564538121",
  "redirectUrl": "https://revenuemonster.my",
  "notifyUrl": "https://dev-rm-api.ap.ngrok.io",
  "layoutVersion": "v3"
}

Step 2 : Encode the data using Base64 format#

note

ewogICAgIm9yZGVyIjogewogICAgCSJ0aXRsZSI6ICJoZWxsbyIsCiAgICAJImRldGFpbCI6ICIiLAogICAgCSJhZGRpdGlvbmFsRGF0YSI6ICJ3b3JsZCIsCgkgICAgImFtb3VudCI6IDEwLAoJICAgICJjdXJyZW5jeVR5cGUiOiAiTVlSIiwKCSAgICAiaWQiOiAgIjcyMTEiCiAgICB9LAogICAgImN1c3RvbWVyIjogewogICAgInVzZXJJZCI6ICIiLAogICAgImVtYWlsIjogIiIKfSwKICAgICJtZXRob2QiOltdLAogICAgInR5cGUiOiAiV0VCX1BBWU1FTlQiLAogICAgInN0b3JlSWQiOiAiMTYwODEyMzAzNTU2NDUzODEyMSIsCiAgICAicmVkaXJlY3RVcmwiOiAiaHR0cHM6Ly9yZXZlbnVlbW9uc3Rlci5teSIsCiAgICAibm90aWZ5VXJsIjogImh0dHBzOi8vZGV2LXJtLWFwaS5hcC5uZ3Jvay5pbyIsCiAgICAibGF5b3V0VmVyc2lvbiI6InYzIgp9

Step 3: Construct plain text parameters#

Parameter	Type	Required	Description	Example
`data`	String	Yes	Base64 data body from Step 2.	Refer to Step 2
`method`	String	Yes	HTTP call method used	"post"
`nonceStr`	String	Yes	Random string	"VYNknZohxwicZMaWbNdBKUrnrxDtaRhN"
`requestURL`	String	Yes	API URL that you call must be exactly the same, together with URL.	https://sb-open.revenuemonster.my/v3/payment/online
`signType`	String	Yes	Sign Type, prefer SHA-256	"sha256"
`timestamp`	String	Yes	UNIX timestamp of request	"1527407052"

Example

note

data=ewogICAgIm9yZGVyIjogewogICAgCSJ0aXRsZSI6ICJoZWxsbyIsCiAgICAJImRldGFpbCI6ICIiLAogICAgCSJhZGRpdGlvbmFsRGF0YSI6ICJ3b3JsZCIsCgkgICAgImFtb3VudCI6IDEwLAoJICAgICJjdXJyZW5jeVR5cGUiOiAiTVlSIiwKCSAgICAiaWQiOiAgIjcyMTEiCiAgICB9LAogICAgImN1c3RvbWVyIjogewogICAgInVzZXJJZCI6ICIiLAogICAgImVtYWlsIjogIiIKfSwKICAgICJtZXRob2QiOltdLAogICAgInR5cGUiOiAiV0VCX1BBWU1FTlQiLAogICAgInN0b3JlSWQiOiAiMTYwODEyMzAzNTU2NDUzODEyMSIsCiAgICAicmVkaXJlY3RVcmwiOiAiaHR0cHM6Ly9yZXZlbnVlbW9uc3Rlci5teSIsCiAgICAibm90aWZ5VXJsIjogImh0dHBzOi8vZGV2LXJtLWFwaS5hcC5uZ3Jvay5pbyIsCiAgICAibGF5b3V0VmVyc2lvbiI6InYzIgp9&method=post&nonceStr=VYNknZohxwicZMaWbNdBKUrnrxDtaRhN&requestUrl=https://sb-open.revenuemonster.my/v3/payment/online&signType=sha256&timestamp=1527407052

Step 4: Sign with CLIENT PRIVATE KEY#

Parameter	Type	Required	Description
`data`	String	Yes	Sign the request data in Step 3 using CLIENT PRIVATE KEY	Response show as below

note

Example of Signature

sha256 IrBg6t73VsH7ieEnQDB4CXHFjMWUkp8Dtddpxqw+4Gvz6Tag7Dx6nrfAt2ofYK8xZN9aBCvAKAfmAOGWIXnsTXfhFBnMA2kadiga7ufUJ81ozyhllbiliRM2ugw1OcqSTLRHWBPhrVwhHBxgDiG9wbuI3FKURrz+CufYYakFoCw=

Step 5: Signature of Request Data#

note

Put this Signature into header under X-Signature, construct the request as below and call API endpoint:

curl --request POST
 --url 'https://sb-open.revenuemonster.my/v3/payment/online'
 --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMTgtMDMtMTMiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiKiJdLCJleHAiOjE1MjE2MjkyNTYsImlhdCI6MTUyMTYyMjA1NywiaXNzIjoiaHR0cHM6Ly9zYi1vYXV0aC5yZXZlbnVlbW9uc3Rlci5teSIsImp0aSI6IkVod0tFRTlCZFhSb1FXTmpaWE56Vkc5clpXNFF5cmYza3EzTDY4QnoiLCJuYmYiOjE1MjE2MjIwNTcsInN1YiI6IkVoUUtDRTFsY21Ob1lXNTBFSlhWemQzd3JhcVRPUklRQ2dSVmMyVnlFSXlKcUl6dnlNUFZjUSJ9.dJknY9MZHLNrKx1p7gZxS0_oA3uXLWplDU1r1dpwxIbmdB6yw4tQBTXKlWArDfKLlBDn6v22_gT5Px7sdCMj7e5M9eRoJoMnoPnslgYpmJJ5kjqAbKU7dUxKb1OzFLrvmtSK9r-FRLVtMFHioWYpwgSvSPBgZ6lAYkUyDzH7aKadFYtQcBuJR0hlq2CXtP0mzbHOeu2q6giONf3E5-XqS8lLRtuHPAbJ7_YFwo0Oe2zc6h05IOocmx_NvBVPfDBnuygTU063h70Q987MYeGDV_Os4N6N_I4b-GoHprEPtmntB1RJPrFrY28hvvoUfDHXHZVXT1GlrsozrkWV4EjbTw'
 --header 'Content-Type: application/json'
 --header 'X-Nonce-Str: VYNknZohxwicZMaWbNdBKUrnrxDtaRhN'
 --header 'X-Signature: sha256 IrBg6t73VsH7ieEnQDB4CXHFjMWUkp8Dtddpxqw+4Gvz6Tag7Dx6nrfAt2ofYK8xZN9aBCvAKAfmAOGWIXnsTXfhFBnMA2kadiga7ufUJ81ozyhllbiliRM2ugw1OcqSTLRHWBPhrVwhHBxgDiG9wbuI3FKURrz+CufYYakFoCw='
 --header 'X-Timestamp: 1527407052'
 --data '{
  "order": {
    "title": "hello",
    "detail": "",
    "additionalData": "world",
    "amount": 10,
    "currencyType": "MYR",
    "id": "7211"
  },
  "customer": {
    "userId": "13245876",
    "email": ""
  },
  "method": [],
  "type": "WEB_PAYMENT",
  "storeId": "1608123035564538121",
  "redirectUrl": "https://revenuemonster.my",
  "notifyUrl": "https://dev-rm-api.ap.ngrok.io",
  "layoutVersion": "v3"
}'

Response Parameters#

Parameter	Type	Description	Example
`item`	Object	item object	(Refer to explanation below)
`code`	String	Successfully call this endpoint. If fail, will return error code object (Refer `Appendix 1: Error Codes`)	"SUCCESS"

item Object (item):

Parameter	Type	Description	Example
`checkoutId`	String	Code to identify web payment url	"1548316308361173347"
`url`	String	Example to form checkout URL. Note: to change base URL to desired URL.	"https://sb-pg.revenuemonster.my/checkout?checkoutId=1548316308361173347"

Example Response

{
  "item": {
    "checkoutId": "1548316308361173347",
    "url": "https://sb-pg.revenuemonster.my/checkout?checkoutId=1548316308361173347"
  },
  "code": "SUCCESS"
}

Using RM Merchant Portal to get Signature#

Step 1 : Create New Application#

Go to Merchant Portal > Developer > Applications tab (last on the list) and you will see the following page:

Step 2 : Obtain Credential#

Click on the Applications created in Step 1. You may edit and update relevant information here :

If you would like to disable the application , simply toggle the "ON/OFF" switch button at the top right.

Click on Show to reveal your clientSecret:

Generate RSA KEYS#

If you need help to generate a key, go to Merchant portal > Developer > Application > Generator RSA Key Suggested key size: 2048 Bit. Keep your private keys in a safe place! Or use our Generate RSA key tool.

Private Keys are required to sign API request(s) contents.
Public Keys are used to verify content received.

Optional Tool: Signature Debugger#

Public Keys needs to have be wrap as following :

For security purposes, we enhanced our authentication flow and Open API by adding layers of encryption to our endpoints. You may develop your own encryption tool on your desired application directly, or use our Signature Debugger to do signing/verification using private/public keys as obtained from the previous step. Refer more on Signature Debugger

Invalid Request Signature#

note

You can refer the below Response if you received INVALID_REQUEST_SIGNATURE
we will guide you step by step to fix the issue

{
  "debug": {
    "preVerifyContent": {
      "step1": {
        "content": "{\"layoutVersion\":\"v2\",\"method\":[\"GOBIZ_MY\"],\"notifyUrl\":\"https://dev-rm-api.ap.ngrok.io\",\"order\":{\"additionalData\":\"world\",\"amount\":10,\"currencyType\":\"MYR\",\"detail\":\"hello\",\"id\":\"721115\",\"title\":\"hello\"},\"redirectUrl\":\"https://revenuemonster.my\",\"storeId\":\"10946114768247530\",\"type\":\"WEB_PAYMENT\"}",
        "remark": "Sort the json key alphabetically"
      },
      "step2": {
        "content": "eyJsYXlvdXRWZXJzaW9uIjoidjIiLCJtZXRob2QiOlsiR09CSVpfTVkiXSwibm90aWZ5VXJsIjoiaHR0cHM6Ly9kZXYtcm0tYXBpLmFwLm5ncm9rLmlvIiwib3JkZXIiOnsiYWRkaXRpb25hbERhdGEiOiJ3b3JsZCIsImFtb3VudCI6MTAsImN1cnJlbmN5VHlwZSI6Ik1ZUiIsImRldGFpbCI6ImhlbGxvIiwiaWQiOiI3MjExMTUiLCJ0aXRsZSI6ImhlbGxvIn0sInJlZGlyZWN0VXJsIjoiaHR0cHM6Ly9yZXZlbnVlbW9uc3Rlci5teSIsInN0b3JlSWQiOiIxMDk0NjExNDc2ODI0NzUzMCIsInR5cGUiOiJXRUJfUEFZTUVOVCJ9",
        "remark": "Encode the data using Base64 format"
      },
      "step3": {
        "content": "data=eyJsYXlvdXRWZXJzaW9uIjoidjIiLCJtZXRob2QiOlsiR09CSVpfTVkiXSwibm90aWZ5VXJsIjoiaHR0cHM6Ly9kZXYtcm0tYXBpLmFwLm5ncm9rLmlvIiwib3JkZXIiOnsiYWRkaXRpb25hbERhdGEiOiJ3b3JsZCIsImFtb3VudCI6MTAsImN1cnJlbmN5VHlwZSI6Ik1ZUiIsImRldGFpbCI6ImhlbGxvIiwiaWQiOiI3MjExMTUiLCJ0aXRsZSI6ImhlbGxvIn0sInJlZGlyZWN0VXJsIjoiaHR0cHM6Ly9yZXZlbnVlbW9uc3Rlci5teSIsInN0b3JlSWQiOiIxMDk0NjExNDc2ODI0NzUzMCIsInR5cGUiOiJXRUJfUEFZTUVOVCJ9&method=post&nonceStr=XAYZRZNLGCKSTURRFKBIGYALUKLCLJOG&requestUrl=https://sb-open.revenuemonster.my/v3/payment/online&signType=sha256&timestamp=1599467903",
        "remark": "Construct plain text parameters on this format, if the body is empty then the `data` parameter can be skip"
      },
      "step4": {
        "content": "data=eyJsYXlvdXRWZXJzaW9uIjoidjIiLCJtZXRob2QiOlsiR09CSVpfTVkiXSwibm90aWZ5VXJsIjoiaHR0cHM6Ly9kZXYtcm0tYXBpLmFwLm5ncm9rLmlvIiwib3JkZXIiOnsiYWRkaXRpb25hbERhdGEiOiJ3b3JsZCIsImFtb3VudCI6MTAsImN1cnJlbmN5VHlwZSI6Ik1ZUiIsImRldGFpbCI6ImhlbGxvIiwiaWQiOiI3MjExMTUiLCJ0aXRsZSI6ImhlbGxvIn0sInJlZGlyZWN0VXJsIjoiaHR0cHM6Ly9yZXZlbnVlbW9uc3Rlci5teSIsInN0b3JlSWQiOiIxMDk0NjExNDc2ODI0NzUzMCIsInR5cGUiOiJXRUJfUEFZTUVOVCJ9&method=post&nonceStr=XAYZRZNLGCKSTURRFKBIGYALUKLCLJOG&requestUrl=https://sb-open.revenuemonster.my/v3/payment/online&signType=sha256&timestamp=1599467903",
        "remark": "Sign this content using sha256 with rsa private key and make sure the public key have been uploaded to the portal"
      },
      "step5": {
        "remark": "The signature that generated from step 4, pass on the header X-Signature with prefix the sign type, e.g: sha256 {{ signatureContent }}l"
      }
    },
    "requestHeader": {
      "X-Nonce-Str": {
        "currentValue": "XAYZRZNLGCKSTURRFKBIGYALUKLCLJOG",
        "isValid": true,
        "remark": "Make sure the nonce str is should not contain space and must unique at least for 120 second, if not the server will throw duplicate request error"
      },
      "X-Signature": {
        "currentValue": "sha256 XvedDW8H2gqGL5gMzTHqDy1PXX3OqRF09WuQDkeCDwuinOAsPstcPOSefUwkyHPM9WPNKKHyR5qXbKNLC7UgQyGi8Ynio03kDo0p+g3BqXaUT1tpo5D8kv42Kh2S8CW4RkX2Dkf+Yxi2XMQ8l3kzPZaRyhudaGerUZony4Npzf63p4+oTBbXE01uX/4x/WL57+zkaaVRc1KlJsLdGsBmLlPOHLana7udJffJyxXhOmyokBuJ4GoOC8JpDG9oaKCNMZ88ow9CWWB0yRPrK2KeaEDwzCm2Jh8IFKw1gS6avQAwsjychZWv5XmAXkZ8ZQrnLXJquA09QpLxPTtOeQC9SA==",
        "isValid": false,
        "remark": "The signature is invalid, please check preVerifyContent parameter on how to generate the signature or go to our API documentation https://doc.revenuemonster.my/docs/quickstart/signature-algorithm"
      },
      "X-Timestamp": {
        "currentValue": "1599467903",
        "isValid": false,
        "remark": "Make sure the timestamp generated on UTC timezone and must be maximum the time difference is 120 second from the request send to the server, if not the server will throw invalid timestamp"
      }
    }
  },
  "error": {
    "code": "INVALID_REQUEST_SIGNATURE",
    "message": "The request signature is invalid"
  }
}

Check your Private key and Public key
No space in JSON data
To access all wallets, use method:[]
For amount:100 is RM 1.00