SHA1 Authentication

Please be informed that SHA1 Authentication will no longer be supported after November 31st, 2024. Our esteemed merchants need to enhance their codebases to use HMACSHA256 Authentication.

Please prioritize this update to ensure your systems remain secure and compliant.

Authentication for iyzico services aligns with Basic Auth principles, while enhancing security through a precise sequence of encryption techniques, including PKI string, Base64, and SHA-1 hashing.

To access our API securely, authentication is required. Authentication is achieved through the inclusion of an API Key and pkiString together in the header of your HTTP requests.

"Authorization": "IYZWS"+" "+"YOUR_API_KEY"+":"+"pkiString"

Example Request Header:

POST /payment/iyzipos/checkoutform/initialize/auth/ecom HTTP/1.1
Host: sandbox-api.iyzipay.com
Authorization: IYZWS sandbox-Uc8cxE7Y2c1kXdJ7JyiSgkyCSW8m8pth:mo75MZlJ73ycrsRzuIK2WVrPb9c=
Content-Type: application/json

Overview

Here's a breakdown of the required components:

apiKey: Your unique API key assigned to your account.
x-iyzi-rnd: A randomly generated number included in the request header for each API call.
secretKey: Your secret key associated with your account.
requestString: The serialized version of the request payload parameters.

Authentication can be divided into three sequential steps:

requestString
SHA1 and base64
Authorization

1. requestString

The requestString represents a parsed version of the request payload, having undergone combined parsing operations. These operations include clearing all null spaces, converting colons (:) to equals (=), and removing any occurrences of double quotation marks (").

iyzico API services require the use of dots (.) for decimal numbers.

With in a sample, below you may find a dummy Bin Check request curl;

curl 
--location --request POST 'https://api.iyzipay.com/payment/bin/check' \
--header 'Authorization: IYZWS ***' \
--header 'x-iyzi-rnd: 123456789' \
--header 'Content-Type: application/json' \
--data-raw '{
  "locale":"tr",
  "binNumber":"535805"
}'

requestString for that Bin Check request is;

[locale=tr,binNumber=535805]

2. SHA1 and base64

Assuming that the requestString has been generated correctly, it is now time for SHA1 and Base64 encryptions. The pkiString process entails generating a hash using SHA1 encryption and subsequently encoding it in Base64.

The signature is generated using the following formula, relatively;

base64(SHA1(apiKey + request.headers["x-iyzi-rnd"] + secretKey + requestString))

The result is our pkiString to be used in the header.

3. Authorization

After all the operations, the final and simplest step is to include IYZWS, YOUR_API_KEY, and pkiString in the header, relatively.

...
"Authorization": "IYZWS"+" "+"YOUR_API_KEY"+":"+"pkiString"
...

In between IYZWS and YOUR_API_KEY there is a single line space.

Sample Pre-request Script of Authorization on Postman

Taking a dummy Bin Check request as an example, the authorization process would be as follows;

var apiKey = pm.variables.get("apiKey")
var secretKey = pm.variables.get("secretKey")

var binNumber = {
    locale:null,
    conversationId:null,
    binNumber:null,
};

function nullClear(obj){
    for (var member in obj) {
        
        if(obj[member] === null) {    
            delete obj[member];
        }
        else if (typeof obj[member] === 'object'){
            obj[member]=nullClear(obj[member]);
            if(Object.keys(obj[member]).length===0){
                delete obj[member];
            }
        }
    }
    
    return obj;
}

//Set json string to model
function jsonToObj(jsonString, obj) {
    var parsedJsonString = JSON.parse(jsonString)
    for(var key in parsedJsonString) {
        if(parsedJsonString.hasOwnProperty(key)) {
            if (typeof parsedJsonString[key] === 'object') {
                if(Array.isArray(parsedJsonString[key])){
                    for(var i = 0; i < parsedJsonString[key].length; i++){
                        if(key =="basketItems"){
                            obj[key].push(new BasketItem());
                            obj[key][i]=jsonToObj(JSON.stringify(parsedJsonString[key][i]), obj[key][i])
                        }else {
                            obj[key][i] = parsedJsonString[key][i];
                        }
                    }
                }else{
               obj[key] = jsonToObj(JSON.stringify(parsedJsonString[key]), obj[key])
                }
            }else{
                obj[key] = parsedJsonString[key];
            }
            
        }
    }
    obj = nullClear(obj);
    
    return obj;
}

//generate pki string of object
function generateRequestString(obj) {
    var isArray = Array.isArray(obj);
    
    var requestString = '[';
    for (var i in obj) {
        var val = obj[i];
        if (!isArray) {
            requestString += i + '=';
        }
        if (typeof val === 'object') {
            requestString += generateRequestString(val);
        } else {
            requestString += val;
        }
        requestString += isArray ? ', ' : ',';
    }
    requestString = requestString.slice(0, (isArray ? -2 : -1));
    requestString += ']';
    return requestString;
    
}    

//generate authorization string
function generateAuthorizationString(obj) {
    var requestString = generateRequestString(obj);
    var hashSha1 =  CryptoJS.SHA1(apiKey+request.headers["x-iyzi-rnd"]+secretKey+requestString);
    var hashInBase64 = CryptoJS.enc.Base64.stringify(hashSha1);
    var authorization = "IYZWS"+" "+apiKey+":"+hashInBase64;
    console.log(requestString);
    postman.setGlobalVariable("pkiString", apiKey+request.headers["x-iyzi-rnd"]+secretKey+requestString);
    return authorization
}

var requestModel = binNumber;
requestModel = jsonToObj(request.data, requestModel);
var authorization = generateAuthorizationString(requestModel)
postman.setGlobalVariable("authorization", authorization);

PreviousAuthentication NextHMACSHA256 Auth

Last updated 3 months ago