Authentication & Authorization
Every request to the API must be authenticated. This is done by passing the following HTTP headers to the API:
- timestamp
-
The timestamp should be the time in UTC when the message was sent. Use the format ”yyyy-MM-dd HH:mm:ss”.
Example 2017-10-23 13:03:03 - authorization
-
This should be in the format “Svea {token}” where token is calculated using this formula:
𝑏𝑎𝑠𝑒64(𝑢𝑡𝑓8({𝑐ℎ𝑒𝑐𝑘𝑜𝑢𝑡𝑚𝑒𝑟𝑐ℎ𝑎𝑛𝑡𝑖𝑑}:𝑏𝑎𝑠𝑒16(𝑙𝑜𝑤𝑒𝑟𝑐𝑎𝑠𝑒(𝑠ℎ𝑎512(𝑢𝑡𝑓8({𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑏𝑜𝑑𝑦}{𝑐ℎ𝑒𝑐𝑘𝑜𝑢𝑡𝑠𝑒𝑐𝑟𝑒𝑡}{𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝}))))))
where- {checkoutmerchantid} is the merchant identifier assigned to you by Svea.
- {requestbody} is the body of the request (or an empty string for GET requests).
- {checkoutsecret} is the secret key assigned to your CheckoutMerchantId by Svea.
- {timestamp} is the same value as the timestamp header.
Example Svea MTAwMDAxOjJEOEQ2QkQzRjNGMjYyRUM1NDcwRjhBNjUxRDk2NTIzRTI2M0NFNjEyQUI5MDkxREQzRUM1NkJBOURFRTMyNTUwNEUzM0FDOTM0NjhBMTlCREZDNjEwQjQ3QzE2RTQwMzk1MjIzMDE2QzQyRkFBN0UwNTFCQTAwQzg5RTcwRUEy
Token Generation Example Code
using System;
using System.Security.Cryptography;
using System.Text;
...
void CreateAuthenticationToken(out string token, out string timestamp, string message = null)
{
const int merchantId = 123123;
const string secretKey = "sharedSecret";
message = message ?? string.Empty;
timestamp = DateTime.UtcNow.ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture);
using (var sha512 = SHA512.Create())
{
var hashBytes = sha512.ComputeHash(Encoding.UTF8.GetBytes(message + secretKey + timestamp));
var hashString = BitConverter.ToString(hashBytes).Replace("-", string.Empty);
token = Convert.ToBase64String(Encoding.UTF8.GetBytes(merchantId + ":" + hashString));
}
}
...