Authentication for iyzico services aligns with Basic Auth principles, while enhancing security through a precise sequence of encryption techniques, including PKI string, Base64, HMAC and SHA-256 hashing
To access our API securely, authentication is required. Authentication is achieved through the inclusion of an API Keyand base64EncodedAuthorizationtogether in the header of your HTTP requests.
POST /payment/bin/check HTTP/1.1Host:sandbox-api.iyzipay.comAuthorization:IYZWSv2 YXBpS2V5OnNhbmRib3gtbDlNZDFHajNJWWNtdTROZGFXeGFTVW9Db1g3REM1UkEmcmFuZG9tS2V5OjEyMzQ1Njc4OSZzaWduYXR1cmU6MDc5ZGY0YjI0MjZmYzdmNDIwOGQ4ZjIyZmJjMDM0OTc5NDAxOWY4Y2UyYjA3MTFkZTc4MDhiNDg3NGY0ZTc5Ng==Content-Type:application/jsonx-iyzi-rnd:123456789 // x-iyzi-rnd used to be random key from previous SHA1 Authentication
Overview
Here's a breakdown of the required components:
apiKey: Your unique API key assigned to your account.
secretKey: Your secret key associated with your account.
x-iyzi-rnd: A randomly generated number by merchants that included in the request header for each API call. (x-iyzi-rnd used to be random key from previous SHA1 Authentication)
encryptedData: The encrypted version of the request payload parameters with HMACSHA256.
Authentication can be divided into three sequential steps:
encryptedData
base64Encoded
Authorization
1. encryptedData
The encryptedData represents a encrypted version of the request payload, the process entails generating a hash using HMACSHA256 encryption.
The signature is generated using the following formula, relatively;
In between IYZWSv2 and base64EncodedAuthorization there is a single line space.
Sample Pre-request Script of Authorization on Postman
Taking a dummy Bin Check request as an example, the authorization process would be as follows;
var apiKey =environment.apiKey;var secretKey =environment.secretKey;//Generate authorization stringfunctiongenerateAuthorizationString() {// Lets create uniq randomKey// Sample randomKey : 1722246017090123456789// x-iyzi-rnd used to be random key from previous SHA1 Authentication, so plese do not hesitate to use x-iyzi-rnd as your randomkey.var randomKey =newDate().getTime() +"123456789";// Get the uri path for this request// Sample uri_path : /payment/bin/checkvar uri_path ="/payment/bin/check";// Get the payload and concatanete with uri path and randomKey.// Sample payload : payload: 1722246017090123456789/payment/bin/check{"binNumber":"589004"}var payload =_.isEmpty(request.data) ? randomKey + uri_path : randomKey + uri_path +request.data;// Encrypt the payload with HMACSHA256// Sample encryptedData : 91e491486d3aa951b4f387cc93d67fc754c4729af95344b694435f56447819e9var encryptedData =CryptoJS.HmacSHA256(payload, secretKey);// Create the authorizationString using encryptedData/* Sample authorizationString : apiKey:sandbox-3uHv0LccjcWDyFHTvJpiACKPcJwbczmZ& randomKey:1722246017090123456789& signature:91e491486d3aa951b4f387cc93d67fc754c4729af95344b694435f56447819e9 */var authorizationString ="apiKey:"+ apiKey+"&randomKey:"+ randomKey+"&signature:"+ encryptedData;// Encode the authorizationString with base64 // Sample base64EncodedAuthorization : YXBpS2V5OnNhbmRib3gtM3VIdjBMY2NqY1dEeUZIVHZKcGlBQ0tQY0p3YmN6bVomcmFuZG9tS2V5OjE3MjIyNDYwMTcwOTAxMjM0NTY3ODkmc2lnbmF0dXJlOjkxZTQ5MTQ4NmQzYWE5NTFiNGYzODdjYzkzZDY3ZmM3NTRjNDcyOWFmOTUzNDRiNjk0NDM1ZjU2NDQ3ODE5ZTk=var base64EncodedAuthorization =CryptoJS.enc.Base64.stringify(CryptoJS.enc.Utf8.parse(authorizationString));// Concatanate the encoded authorizationString with 'IYZWSv2 '.// Sample return value : IYZWSv2 YXBpS2V5OnNhbmRib3gtM3VIdjBMY2NqY1dEeUZIVHZKcGlBQ0tQY0p3YmN6bVomcmFuZG9tS2V5OjE3MjIyNDYwMTcwOTAxMjM0NTY3ODkmc2lnbmF0dXJlOjkxZTQ5MTQ4NmQzYWE5NTFiNGYzODdjYzkzZDY3ZmM3NTRjNDcyOWFmOTUzNDRiNjk0NDM1ZjU2NDQ3ODE5ZTk=return"IYZWSv2 "+ base64EncodedAuthorization;}var authorization =generateAuthorizationString();postman.setEnvironmentVariable("authorization", authorization);