Authentication for iyzico services aligns with Basic Auth principles, while enhancing security through a precise sequence of encryption techniques, including PKI string, Base64, HMAC and SHA-256 hashing
To access our API securely, authentication is required. Authentication is achieved through the inclusion of an API Keyand base64EncodedAuthorizationtogether in the header of your HTTP requests.
POST /payment/bin/check HTTP/1.1
Host: sandbox-api.iyzipay.com
Authorization: IYZWSv2 YXBpS2V5OnNhbmRib3gtbDlNZDFHajNJWWNtdTROZGFXeGFTVW9Db1g3REM1UkEmcmFuZG9tS2V5OjEyMzQ1Njc4OSZzaWduYXR1cmU6MDc5ZGY0YjI0MjZmYzdmNDIwOGQ4ZjIyZmJjMDM0OTc5NDAxOWY4Y2UyYjA3MTFkZTc4MDhiNDg3NGY0ZTc5Ng==
Content-Type: application/json
x-iyzi-rnd: 123456789 // x-iyzi-rnd used to be random key from previous SHA1 Authentication
Overview
Here's a breakdown of the required components:
apiKey: Your unique API key assigned to your account.
secretKey: Your secret key associated with your account.
x-iyzi-rnd: A randomly generated number by merchants that included in the request header for each API call. (x-iyzi-rnd used to be random key from previous SHA1 Authentication)
encryptedData: The encrypted version of the request payload parameters with HMACSHA256.
Authentication can be divided into three sequential steps:
encryptedData
base64Encoded
Authorization
1. encryptedData
The encryptedData represents a encrypted version of the request payload, the process entails generating a hash using HMACSHA256 encryption.
The signature is generated using the following formula, relatively;
In between IYZWSv2 and base64EncodedAuthorization there is a single line space.
Sample Pre-request Script of Authorization on Postman
Taking a dummy Bin Check request as an example, the authorization process would be as follows;
var apiKey = environment.apiKey;
var secretKey = environment.secretKey;
//Generate authorization string
function generateAuthorizationString() {
// Lets create uniq randomKey
// Sample randomKey : 1722246017090123456789
// x-iyzi-rnd used to be random key from previous SHA1 Authentication, so plese do not hesitate to use x-iyzi-rnd as your randomkey.
var randomKey = new Date().getTime() + "123456789";
// Get the uri path for this request
// Sample uri_path : /payment/bin/check
var uri_path = "/payment/bin/check";
// Get the payload and concatanete with uri path and randomKey.
// Sample payload : payload: 1722246017090123456789/payment/bin/check{"binNumber":"589004"}
var payload = _.isEmpty(request.data) ? randomKey + uri_path : randomKey + uri_path + request.data;
// Encrypt the payload with HMACSHA256
// Sample encryptedData : 91e491486d3aa951b4f387cc93d67fc754c4729af95344b694435f56447819e9
var encryptedData = CryptoJS.HmacSHA256(payload, secretKey);
// Create the authorizationString using encryptedData
/* Sample authorizationString : apiKey:sandbox-3uHv0LccjcWDyFHTvJpiACKPcJwbczmZ&
randomKey:1722246017090123456789&
signature:91e491486d3aa951b4f387cc93d67fc754c4729af95344b694435f56447819e9 */
var authorizationString = "apiKey:" + apiKey
+ "&randomKey:" + randomKey
+ "&signature:" + encryptedData;
// Encode the authorizationString with base64
// Sample base64EncodedAuthorization : YXBpS2V5OnNhbmRib3gtM3VIdjBMY2NqY1dEeUZIVHZKcGlBQ0tQY0p3YmN6bVomcmFuZG9tS2V5OjE3MjIyNDYwMTcwOTAxMjM0NTY3ODkmc2lnbmF0dXJlOjkxZTQ5MTQ4NmQzYWE5NTFiNGYzODdjYzkzZDY3ZmM3NTRjNDcyOWFmOTUzNDRiNjk0NDM1ZjU2NDQ3ODE5ZTk=
var base64EncodedAuthorization = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(authorizationString));
// Concatanate the encoded authorizationString with 'IYZWSv2 '.
// Sample return value : IYZWSv2 YXBpS2V5OnNhbmRib3gtM3VIdjBMY2NqY1dEeUZIVHZKcGlBQ0tQY0p3YmN6bVomcmFuZG9tS2V5OjE3MjIyNDYwMTcwOTAxMjM0NTY3ODkmc2lnbmF0dXJlOjkxZTQ5MTQ4NmQzYWE5NTFiNGYzODdjYzkzZDY3ZmM3NTRjNDcyOWFmOTUzNDRiNjk0NDM1ZjU2NDQ3ODE5ZTk=
return "IYZWSv2 " + base64EncodedAuthorization;
}
var authorization = generateAuthorizationString();
postman.setEnvironmentVariable("authorization", authorization);
