BananaTech
    BananaTech
    • API Security Implementation Guide
    • Guides
      • 01-README
      • 02-Getting-Started
      • 03-Virtual-Cards
      • 04-Physical-Cards
      • 05-Card-Operations
    • Webhook
      • Integration Guide
      • Event Types
    • Merchant related APIs
      • Get Account Balance
        POST
      • Get Card Templates
        POST
      • Set Webhook URL
        POST
      • Get Webhook Records
        POST
    • User related APIs
      • Register
        POST
      • Get Users
        POST
    • Card related APIs
      • Apply
        POST
      • Recharge
        POST
      • Update Status
        POST
      • Get Balance
        POST
      • Get Information
        POST
      • Get Transactions
        POST
      • Assign (for Physical cards only)
        POST
      • Set PIN (for Physical cards only)
        POST
      • 3DS Confirm
        POST
    • Schemas
      • Sample Schemas
        • Pet
        • Category
        • Tag

    API Security Implementation Guide

    Introduction#

    This document describes the security measures required to interact with our API endpoints. All requests must be encrypted and signed using the provided authentication credentials.

    Authentication Credentials#

    Upon registration, you will receive:
    Merchant-ID: A unique UUID that identifies your organization
    Secret Key: A secret key used for encryption and signing

    Request Security Requirements#

    Headers#

    Each request must include the following headers:
    Merchant-ID: Your unique merchant identifier
    X-HMAC: HMAC signature of the encrypted payload

    Request Body#

    The request body should contain a single field:
    encrypted_payload: The encrypted and base64-encoded payload

    Encryption Process#

    1. Prepare the Request Payload#

    First, prepare your request data as a JSON object. For example:
    {
    "email": "user@example.com",
    "mobileNumber": "1234567890",
    "mobilePrefix": "+1"
}

    2. Encrypt the Payload#

    The payload must be encrypted using AES-CBC with PKCS7 padding:
    1.
    Convert your JSON payload to a string
    2.
    Generate a random 16-byte IV (Initialization Vector)
    3.
    Encrypt the data using:
    Algorithm: AES-CBC
    Key: Your provided Secret Key
    Padding: PKCS7
    4.
    Concatenate the IV and encrypted data
    5.
    Base64 encode the result

    3. Generate HMAC#

    1.
    Calculate HMAC-SHA256 of the base64-encoded encrypted payload using your Secret Key
    2.
    Convert the HMAC to hexadecimal format

    Example Implementation (Python)#

    Response Format#

    The API response will follow the same security pattern:
    {
    "encrypted_payload": "base64-encoded-encrypted-data",
    "hmac": "hmac-signature-of-encrypted-payload"
}
    To decrypt the response:
    1.
    Verify the HMAC signature
    2.
    Base64 decode the encrypted payload
    3.
    Extract the IV (first 16 bytes)
    4.
    Decrypt the remaining data using AES-CBC
    5.
    Remove PKCS7 padding
    6.
    Parse the resulting JSON

    Error Handling#

    The API will return HTTP 400 status code if:
    The HMAC signature is invalid
    The encrypted payload is malformed
    The decrypted data is not valid JSON
    The Merchant-ID is invalid

    Security Recommendations#

    1.
    Never share your Secret Key
    2.
    Generate a new IV for each request
    3.
    Verify HMAC signatures for all responses
    4.
    Use secure random number generation for IVs
    5.
    Store the Secret Key securely
    6.
    Use HTTPS for all API communications
    Modified at 2025-01-23 22:55:37
    Next
    01-README
    Built with