Authentication & Authorization

Every request to the API must be authenticated. This is done by passing the following HTTP headers to the API:


The timestamp should be the time in UTC when the message was sent. Use the format ”yyyy-MM-dd HH:mm:ss”.

2017-10-23 13:03:03

This should be in the format “Svea {token}” where token is calculated using this formula: 𝑏𝑎𝑠𝑒64(𝑢𝑡𝑓8({𝑐ℎ𝑒𝑐𝑘𝑜𝑢𝑡𝑚𝑒𝑟𝑐ℎ𝑎𝑛𝑡𝑖𝑑}:𝑏𝑎𝑠𝑒16(𝑙𝑜𝑤𝑒𝑟𝑐𝑎𝑠𝑒(𝑠ℎ𝑎512(𝑢𝑡𝑓8({𝑟𝑒𝑞𝑢𝑒𝑠𝑡𝑏𝑜𝑑𝑦}{𝑐ℎ𝑒𝑐𝑘𝑜𝑢𝑡𝑠𝑒𝑐𝑟𝑒𝑡}{𝑡𝑖𝑚𝑒𝑠𝑡𝑎𝑚𝑝})))))) where

  • {checkoutmerchantid} is the merchant identifier assigned to you by Svea.
  • {requestbody} is the body of the request (or an empty string for GET requests).
  • {checkoutsecret} is the secret key assigned to your CheckoutMerchantId by Svea.
  • {timestamp} is the same value as the timestamp header.

Token Generation Example Code

using System;
using System.Security.Cryptography;
using System.Text;
void CreateAuthenticationToken(out string token, out string timestamp, string message = null)
    const int merchantId = 123123;
    const string secretKey = "sharedSecret";
    message = message ?? string.Empty;
    timestamp = DateTime.UtcNow.ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture);

    using (var sha512 = SHA512.Create())
        var hashBytes = sha512.ComputeHash(Encoding.UTF8.GetBytes(message + secretKey + timestamp));
        var hashString = BitConverter.ToString(hashBytes).Replace("-", string.Empty);
        token = Convert.ToBase64String(Encoding.UTF8.GetBytes(merchantId + ":" + hashString));