Obtain your publishable & secret key from https://dashboard.kolibripay.com and add X-PUBLISHABLE-KEY: <your publishable key here> to your request header
200 - OK
\nTransaction found
\n201 - Created
\nTransaction has been created
\n204 - No Content
\nTransaction has been updated
\n400 - Bad Request
\nThe request is malformed
\n401 - Unauthorized
\nYou provided no publishable key or a wrong publishable key
\n404 - Not found
\nResource not found
\nTo ensure authenticity and data integrity of incoming requests KolibriPay requires these requests to be signed. This signature is based on a Hash-based Message Authentication Code (HMAC) calculated using a request's key-value pairs and a secret key, which is known only to you and KolibriPay.
\nBefore sending a POST, UPDATE or DELETE request to KolibriPay, you calculate a signature and add it as a request parameter. When a request comes in, KolibriPay calculates the same signature based on the received key-value pairs and the secret key stored by KolibriPay. By verifying that both signatures are equal, KolibriPay ensures that the request is not tampered.
\nSimilarly, you can validate responses from KolibriPay by calculating the corresponding signature and comparing it with the signature in the response. This allows you to verify that the events were sent by Kolibri and not by a third party.
\nA replay attack is when an attacker intercepts a valid payload and its signature, then re-transmits them. To mitigate such attacks, KolibriPay includes a timestamp in the response body. Because this timestamp is part of the signed payload, it is also verified by the signature, so an attacker cannot change the timestamp without invalidating the signature. If the signature is valid but the timestamp is too old, you can have your application reject the payload. We suggest a 5 minutes tolerance between the timestamp and the current time.
\nEach signed response includes a kolibripay-signature header. This header contains a signature. You should always compare the signature in the header to the expected signature.
Below are some examples that illustrate how to determine the expected signature.
\nAll the examples output the following signature: qnR8UCqJggD55PohusaBNviGoOJ67HC6Btry4qXLVZc=\nThis signature is the result given the values of secret and Message. Take notice of the capital M.
To verify KolibriPay signature, replace secret with your secret key and replace Message with the raw request or response body.
Before processing live payments, we recommend testing your integration first by using the test mode. To enable the test mode simply include a header called test-mode with it's value set to true instead of the kolibripay-signature header.
The following endpoints support the test mode:
<script src=\"https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js\"></script>\n<script src=\"https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/hmac-sha256.min.js\"></script>\n<script src=\"https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/enc-base64.min.js\"></script>\n\n<script>\n var hash = CryptoJS.HmacSHA256(\"Message\", \"secret\");\n var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);\n document.write(hashInBase64);\n</script>\nconst crypto = require('crypto');\nconst hmac = crypto.createHmac('SHA256', 'secret');\nhmac.update('Message');\nconst signature = hmac.digest('base64');\nconsole.log(signature);\n$s = hash_hmac('sha256', 'Message', 'secret', true);\necho base64_encode($s);\nimport javax.crypto.Mac;\nimport javax.crypto.spec.SecretKeySpec;\nimport org.apache.commons.codec.binary.Base64;\n\npublic class ApiSecurityExample {\n public static void main(String[] args) {\n try {\n String secret = \"secret\";\n String message = \"Message\";\n\n Mac sha256_HMAC = Mac.getInstance(\"HmacSHA256\");\n SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), \"HmacSHA256\");\n sha256_HMAC.init(secret_key);\n\n String hash = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));\n System.out.println(hash);\n }\n catch (Exception e){\n System.out.println(\"Error\");\n }\n }\n}\nimport javax.crypto.Mac;\nimport javax.crypto.spec.SecretKeySpec;\nimport java.security.InvalidKeyException;\n\ndef hmac_sha256(String secretKey, String data) {\n try {\n Mac mac = Mac.getInstance(\"HmacSHA256\")\n SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), \"HmacSHA256\")\n mac.init(secretKeySpec)\n byte[] digest = mac.doFinal(data.getBytes())\n return digest\n } catch (InvalidKeyException e) {\n throw new RuntimeException(\"Invalid key exception while converting to HMac SHA256\")\n }\n}\n\ndef hash = hmac_sha256(\"secret\", \"Message\")\nencodedData = hash.encodeBase64().toString()\nlog.info(encodedData)\nusing System.Security.Cryptography;\n\nnamespace Test\n{\n public class MyHmac\n {\n private string CreateToken(string message, string secret)\n {\n secret = secret ?? \"\";\n var encoding = new System.Text.ASCIIEncoding();\n byte[] keyByte = encoding.GetBytes(secret);\n byte[] messageBytes = encoding.GetBytes(message);\n using (var hmacsha256 = new HMACSHA256(keyByte))\n {\n byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);\n return Convert.ToBase64String(hashmessage);\n }\n }\n }\n}\n#import \"AppDelegate.h\"\n#import <CommonCrypto/CommonHMAC.h>\n\n@implementation AppDelegate\n\n- (void)applicationDidFinishLaunching:(NSNotification *)aNotification {\n NSString* key = @\"secret\";\n NSString* data = @\"Message\";\n\n const char *cKey = [key cStringUsingEncoding:NSASCIIStringEncoding];\n const char *cData = [data cStringUsingEncoding:NSASCIIStringEncoding];\n unsigned char cHMAC[CC_SHA256_DIGEST_LENGTH];\n CCHmac(kCCHmacAlgSHA256, cKey, strlen(cKey), cData, strlen(cData), cHMAC);\n NSData *hash = [[NSData alloc] initWithBytes:cHMAC length:sizeof(cHMAC)];\n\n NSLog(@\"%@\", hash);\n\n NSString* s = [AppDelegate base64forData:hash];\n NSLog(s);\n}\n\n+ (NSString*)base64forData:(NSData*)theData {\n const uint8_t* input = (const uint8_t*)[theData bytes];\n NSInteger length = [theData length];\n\n static char table[] = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\";\n\n NSMutableData* data = [NSMutableData dataWithLength:((length + 2) / 3) * 4];\n uint8_t* output = (uint8_t*)data.mutableBytes;\n\n NSInteger i;\n for (i=0; i < length; i += 3) {\n NSInteger value = 0;\n NSInteger j;\n for (j = i; j < (i + 3); j++) {\n value <<= 8;\n\n if (j < length) { value |= (0xFF & input[j]); } } NSInteger theIndex = (i / 3) * 4; output[theIndex + 0] = table[(value >> 18) & 0x3F];\n output[theIndex + 1] = table[(value >> 12) & 0x3F];\n output[theIndex + 2] = (i + 1) < length ? table[(value >> 6) & 0x3F] : '=';\n output[theIndex + 3] = (i + 2) < length ? table[(value >> 0) & 0x3F] : '=';\n }\n\n return [[NSString alloc] initWithData:data encoding:NSASCIIStringEncoding]; }\n\n@end\npackage main\n\nimport (\n \"crypto/hmac\"\n \"crypto/sha256\"\n \"encoding/base64\"\n \"fmt\"\n)\n\nfunc ComputeHmac256(message string, secret string) string {\n key := []byte(secret)\n h := hmac.New(sha256.New, key)\n h.Write([]byte(message))\n return base64.StdEncoding.EncodeToString(h.Sum(nil))\n}\n\nfunc main() {\n fmt.Println(ComputeHmac256(\"Message\", \"secret\"))\n}\nrequire 'openssl'\nrequire \"base64\"\n\nhash = OpenSSL::HMAC.digest('sha256', \"secret\", \"Message\")\nputs Base64.encode64(hash)\nimport hashlib\nimport hmac\nimport base64\n\nmessage = bytes('Message', 'utf-8')\nsecret = bytes('secret', 'utf-8')\n\nsignature = base64.b64encode(hmac.new(secret, message, digestmod=hashlib.sha256).digest())\nprint(signature)\nKolibriPay can send webhook notification events to your server to notify you when the status of a transaction changes. This is useful for purposes like determining when to fulfill the goods and services purchased by your customer.
\nTo handle a webhook notification event, you will have to expose an endpoint on your server and configure a corresponding webhook endpoint in the KolibriPay dashboard.\nThis endpoint on your server has to be able to receive HTTP POST requests.\nNotification events are signed by KolibriPay. The signature can be found in each event’s kolibripay-signature header
The following example shows a notification payload containing the transaction status :
\n{\n \"accountNr\": \"20003000\",\n \"amount\": 1000,\n \"amountPaid\": 1000,\n \"currency\": \"ang\",\n \"id\": \"eG2be22kWOXwubHRRmLZ\",\n \"status\": \"success\",\n \"timestamp\": 1597669104352\n}Amounts should be provided in the currency’s smallest unit. For example, to charge 10 USD, provide an amount value of 1000 (i.e., 1000 cents)
\n","urlObject":{"protocol":"https","path":["transactions",""],"host":["api","kolibripay","com"],"query":[],"variable":[]}},"response":[{"id":"c8db0b40-6c09-4499-b047-d486fdf8bcf0","name":"Create Transaction","originalRequest":{"method":"POST","header":[{"key":"Content-Type","name":"Content-Type","value":"application/x-www-form-urlencoded","type":"text"}],"body":{"mode":"raw","raw":"{\n\t\"amount\":total_amount,\n\t\"currency\":\"currency\",\n\t\"reference\":\"payment_description\",\n\t\"timestamp\":current_timestamp\n}"},"url":"https://api.kolibripay.com/transactions/"},"status":"Created","code":201,"_postman_previewlanguage":"Text","header":[{"key":"kolibripay-signature","value":"ddEGAd3fwE435y3GAe4fDSd28f23F3Y2mAfdsbd2","description":"","type":"text"}],"cookie":[],"responseTime":null,"body":"{\n\"beneficiaryName\": “Test Inc”,\n\"beneficiaryAccount\": “12345678\",\n\"address\": \"First Road #1, Willemstad, Curacao\",\n\"bic\": \"MCBKCWCU\",\n\"currency\": \"USD\",\n\"amount\": 2500,\n\"id\": \"eG2be22kWOXwubHRRmLZ\",\n\"url\":\"https://checkout.kolibripay.com/eG2be22kWOXwubHRRmLZ\",\n\"qrcode\":\"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAYAAACtWK6eAAAISklEQVR4nO2ZMa7jUAwD//0vvXuDuBgQQ8scwCUlSk9Mk7+/v79/xz9Kur7dn9a33zd+P7aB+ICQdH27P61vv2/8fmwD8QEh6fp2f1rfft/4/dgG4gNC0vXt/rS+/b7x+7ENxAeEpOvb/Wl9+33j92MbiA8ISde3+9P69vvG78c2EB8Qkq5v96f17feN349tID4gJF3f7k/r2+8bvx/7ACj2A1+vT/u3s4BA/dfr0/7tLCBQ//X6tH87CwjUf70+7d/OAgL1X69P+7ezgED91+vT/u0sIFD/9fq0fzsLCNR/vT7t3048IPSB0v0p9nzUX5rz93N+QIg9H/WX5vz9nB8QYs9H/aU5fz/nB4TY81F/ac7fz/kBIfZ81F+a8/dzfkCIPR/1l+b8/ZwfEGLPR/2lOX8/5weE2PNRf2nO38/5AcP+0/7S/u356v2fHzDsP+0v7d+er97/+QHD/tP+0v7t+er9nx8w7D/tL+3fnq/e//kBw/7T/tL+7fnq/Z8fMOw/7S/t356v3v/5AcP+0/7S/u356v2fHzDsP+0v7d+er97/+QHD2Ptrr5/2t4DQAcPY+2uvn/a3gNABw9j7a6+f9reA0AHD2Ptrr5/2t4DQAcPY+2uvn/a3gNABw9j7a6+f9reA0AHD2Ptrr5/2t4DQAcPY+2uvn/ZXHxCb9gdOkz4g2r+dBaRcT1lAGAtIuZ6ygDAWkHI9ZQFhLCDlesoCwlhAyvWUBYSxgJTrKQsIYwEp11MWEAYOyNs/vKDpkf7tn24gPuAD02f1b/90A/EBH5g+q3/7pxuID/jA9Fn92z/dQHzAB6bP6t/+6QbiAz4wfVb/9k83EB/wgemz+rd/uoH4gA9Mn9W//Rsye6AxfrCAjPGDBWSMHywgY/xgARnjBwvIGD9YQMb4wQJSjv1HDD0Q21/af/v89nxpvb7gtx+I/YBfny+t1xf89gOxH/Dr86X1+oLffiD2A359vrReX/DbD8R+wK/Pl9brC377gdgP+PX50np9wW8/EPsBvz5fWq8v+O0HYj/g1+dL63GDuAGIfSDt/u2A0vppPW5gH9AT9gG1+19AIO0H9IR9QO3+FxBI+wE9YR9Qu/8FBNJ+QE/YB9TufwGBtB/QE/YBtftfQCDtB/SEfUDt/hcQSPsBPWEfULv/BUQ20F6f9k/7tw+kff74fPYC7Pq0f9p/+4FTff1+7AXY9Wn/tP/2A6f6+v3YC7Dr0/5p/+0HTvX1+7EXYNen/dP+2w+c6uv3Yy/Ark/7p/23HzjV1+/HXoBdn/ZP+28/cKqv34+9ALs+7Z/2337gVF+/H3uBNu0PmJ6vXU/B/d++AMoC0q2nLCCQBaRbT1lAIAtIt56ygEAWkG49ZQGBLCDdesoCAllAuvWUBQSygHTrKXb/R9IHZNdP623sH4h0f/192hdI66f1NvYBLiDQoF0/rbexD3ABgQbt+mm9jX2ACwg0aNdP623sA1xAoEG7flpvYx/gAgIN2vXTehv7ABcQaNCun9bb2AeoByT9gO0JfvsB2PPZ/ikLSNiffcD2fLZ/ygIS9mcfsD2f7Z+ygIT92Qdsz2f7pywgYX/2Advz2f4pC0jYn33A9ny2f8oCEvZnH7A9n+2fsoCE/dkHbM9n+6foAaEG7YBtP93+4/u5vsC0vzTt+7H9LyDwS/tL074f2/8CAr+0vzTt+7H9LyDwS/tL074f2/8CAr+0vzTt+7H9LyDwS/tL074f2/8CAr+0vzTt+7H9LyBhf/YB2vNT0vOn/S0g4f4LyAISxT6QBYSxgISxD2QBYSwgYewDWUAYC0gY+0AWEMYCEsY+kAWEsYCEsQ9kAWEsIGkDkPYDt/X74PvbD0SJLwj2t/X74PvbD0SJLwj2t/X74PvbD0SJLwj2t/X74PvbD0SJLwj2t/X74PvbD0SJLwj2t/X74PvbD0SJLwj2t/X74PvbD0SJLwj2t/X73Pt8PdcX1H4gdv/xwPUHWkAG4voDLSADcf2BFpCBuP5AC8hAXH+gBWQgrj/QAjIQ1x9oAYHQBbZ/dH57f2na90fB+7cP2D6wBaR7f5QF5GlAuECqX0Cyelp/AYELpPoFJKun9RcQuECqX0Cyelp/AYELpPoFJKun9RcQuECqX0Cyelp/AYELpPoFJKun9XFA2rEXPH8M+wdkAZHrf90f7a/vz14QRV/g/CEWkDD6AucPsYCE0Rc4f4gFJIy+wPlDLCBh9AXOH2IBCaMvcP4Q5wNCB7QfuN0fJf0+7e+P+9cbhP3T/tP+KPaB2/vF/esNwv5p/2l/FPvA7f3i/vUGYf+0/7Q/in3g9n5x/3qDsH/af9ofxT5we7+4f71B2D/tP+2PYh+4vV/cv94g7J/2n/ZHsQ/c3i/uX28Q9k/7T/uj2Adu7xf3rzcI+79dn95f2t/r69sG2g/U1i8gC0j1gdr6BWQBqT5QW7+ALCDVB2rrF5AFpPpAbf0CsoBUH6itX0AWkOoDtfULyALy6gNNY/u7/j4LSNh/Gtvf9fdZQML+09j+rr/PAhL2n8b2d/19FpCw/zS2v+vvs4CE/aex/V1/nwUk7D+N7e/6+ywgYf9pbH/X3yceEJv2B7je//r+FxD4pf2397++/wUEfmn/7f2v738BgV/af3v/6/tfQOCX9t/e//r+FxD4pf2397++/wUEfmn/7f2v738BgV/af3v/6/uPL8j+6ILs/mm9XZ8Sfz/7gNsP1O6f1tv1KQsIHdBeMOyf1tv1KQsIHdBeMOyf1tv1KQsIHdBeMOyf1tv1KQsIHdBeMOyf1tv1KQsIHdBeMOyf1tv1KQsIHdBeMOyf1tv1KdH3+w8mBzFeWGKd9wAAAABJRU5ErkJggg==\",\n\"timestamp\": 1597669104352\n}"}],"_postman_id":"c1a7d5ce-ef73-47ad-ab09-507feb300372"},{"name":"Get Transaction","id":"0deaa9b7-435a-4c0c-84b9-6efee0da0c87","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"X-PUBLISHABLE-KEY","value":"your_publishable_key","type":"text"}],"url":"https://api.kolibripay.com/transactions/:id","description":"Retrieves the transaction with the given ID. The transaction identifier can be obtained by scanning a KolibriPay QR Code
\n","urlObject":{"protocol":"https","path":["transactions",":id"],"host":["api","kolibripay","com"],"query":[],"variable":[{"id":"c0ca2d15-31f4-4a2a-b858-a093b8b2b8fa","type":"string","value":"your_tansaction_id","key":"id"}]}},"response":[{"id":"80fa19c1-04af-413e-a4fe-8938c0eb496c","name":"Get Transaction","originalRequest":{"method":"GET","header":[{"key":"X-PUBLISHABLE-KEY","value":"your_publishable_key","type":"text"}],"url":"https://api.kolibripay.com/transactions/{{id}}"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"kolibripay-signature","value":"NljwIk+Zfh198GxCaLDVu5u0ThGKaPLTYmb920rHv4I=","description":"","type":"text"}],"cookie":[],"responseTime":null,"body":"{\n\"accountHolder\": \"Acme Inc\",\n\"accountNr\": \"20003000\",\n\"address\": \"First Road #1, Willemstad, Curacao\",\n\"amount\": 1000,\n\"bic\": \"MCBKCWCU\",\n\"currency\": \"ang\",\n\"id\": \"eG2be22kWOXwubHRRmLZ\",\n\"reference\": \"Customer 123 / Invoice 456\",\n\"status\": \"draft\",\n\"timestamp\": 1597669104352\n}"}],"_postman_id":"0deaa9b7-435a-4c0c-84b9-6efee0da0c87"},{"name":"Update Transaction","id":"8fd237ed-c984-4ff0-be14-8f9d5c3b13b5","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"PUT","header":[{"key":"Content-Type","name":"Content-Type","value":"application/json","type":"text"},{"key":"X-PUBLISHABLE-KEY","value":"your_publishable_key","type":"text"}],"body":{"mode":"raw","raw":"{\n\t\"id\":\"your_tansaction_id\",\n\t\"status\":\"your_transaction_status\",\n\t\"amountPaid\":total_amount_paid,\n\t\"timestamp\":current_timestamp\n}"},"url":"https://api.kolibripay.com/transactions/","urlObject":{"protocol":"https","path":["transactions",""],"host":["api","kolibripay","com"],"query":[],"variable":[]}},"response":[{"id":"83a27d18-22dd-4cc5-8842-f8dd68f0a396","name":"Update Transaction","originalRequest":{"method":"PUT","header":[{"key":"Content-Type","name":"Content-Type","value":"application/json","type":"text"},{"key":"X-PUBLISHABLE-KEY","value":"your_publishable_key","type":"text"}],"body":{"mode":"raw","raw":"{\n\t\"id\":\"your_tansaction_id\",\n\t\"status\":\"your_transaction_status\",\n\t\"amountPaid\":total_amount_paid,\n\t\"timestamp\":current_timestamp\n}"},"url":"https://api.kolibripay.com/transactions/"},"status":"OK","code":200,"_postman_previewlanguage":"Text","header":[{"key":"kolibripay-signature","value":"kR4Dd67oRwV1n5bVhsd4YKsd7i0","description":"","type":"text"}],"cookie":[],"responseTime":null,"body":"{\n\"id\":\"eG2be22kWOXwubHRRmLZ\",\n\"status\": \"success\",\n\"timestamp\": 1597669104352\n }\n "}],"_postman_id":"8fd237ed-c984-4ff0-be14-8f9d5c3b13b5"},{"name":"Delete Transaction","id":"417d02d6-66ef-450d-a122-e1ccfe2ac1bf","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"DELETE","header":[{"key":"Content-Type","name":"Content-Type","value":"application/json","type":"text"},{"key":"X-PUBLISHABLE-KEY","value":"your_publishable_key","type":"text"}],"body":{"mode":"raw","raw":"{\n\t\"id\":\"your_tansaction_id\"\n}"},"url":"https://api.kolibripay.com/transactions/","urlObject":{"protocol":"https","path":["transactions",""],"host":["api","kolibripay","com"],"query":[],"variable":[]}},"response":[{"id":"d90d72ee-1162-40c2-9707-7170615d5f55","name":"Delete Transaction","originalRequest":{"method":"DELETE","header":[{"key":"Content-Type","name":"Content-Type","value":"application/json","type":"text"},{"key":"X-PUBLISHABLE-KEY","value":"your_publishable_key","type":"text"}],"body":{"mode":"raw","raw":"{\n\t\"id\":\"your_tansaction_id\"\n}"},"url":"https://api.kolibripay.com/transactions/"},"status":"No Content","code":204,"_postman_previewlanguage":null,"header":null,"cookie":[],"responseTime":null,"body":""}],"_postman_id":"417d02d6-66ef-450d-a122-e1ccfe2ac1bf"}],"event":[{"listen":"prerequest","script":{"id":"0ceb4807-fb92-4614-923c-3c1b5364ae0a","type":"text/javascript","exec":[""]}},{"listen":"test","script":{"id":"bf550e6e-a776-480f-bb75-c80fd0ddcbc5","type":"text/javascript","exec":[""]}}],"variable":[{"id":"50db4d0c-5cd9-4229-a0fb-2d441061dca7","key":"transactionId","value":"","type":"string"}]}