SHA1 Authentication

Authentication for iyzico services aligns with Basic Auth principles, while enhancing security through a precise sequence of encryption techniques, including PKI string, Base64, and SHA-1 hashing.

To access our API securely, authentication is required. Authentication is achieved through the inclusion of an API Key and pkiString together in the header of your HTTP requests.

"Authorization": "IYZWS"+" "+"YOUR_API_KEY"+":"+"pkiString"

Example Request Header:

POST /payment/iyzipos/checkoutform/initialize/auth/ecom HTTP/1.1
Host: sandbox-api.iyzipay.com
Authorization: IYZWS sandbox-Uc8cxE7Y2c1kXdJ7JyiSgkyCSW8m8pth:mo75MZlJ73ycrsRzuIK2WVrPb9c=
Content-Type: application/json

Overview

Here's a breakdown of the required components:

apiKey: Your unique API key assigned to your account.
x-iyzi-rnd: A randomly generated number included in the request header for each API call.
secretKey: Your secret key associated with your account.
requestString: The serialized version of the request payload parameters.

Authentication can be divided into three sequential steps:

requestString
SHA1 and base64
Authorization

1. requestString

The requestString represents a parsed version of the request payload, having undergone combined parsing operations. These operations include clearing all null spaces, converting colons (:) to equals (=), and removing any occurrences of double quotation marks (").

iyzico API services require the use of dots (.) for decimal numbers.

With in a sample, below you may find a dummy Bin Check request curl;

curl 
--location --request POST 'https://api.iyzipay.com/payment/bin/check' \
--header 'Authorization: IYZWS ***' \
--header 'x-iyzi-rnd: 123456789' \
--header 'Content-Type: application/json' \
--data-raw '{
  "locale":"tr",
  "binNumber":"535805"
}'

requestString for that Bin Check request is;

[locale=tr,binNumber=535805]

2. SHA1 and base64

Assuming that the requestString has been generated correctly, it is now time for SHA1 and Base64 encryptions. The pkiString process entails generating a hash using SHA1 encryption and subsequently encoding it in Base64.

The signature is generated using the following formula, relatively;

base64(SHA1(apiKey + request.headers["x-iyzi-rnd"] + secretKey + requestString))

The result is our pkiString to be used in the header.

3. Authorization

After all the operations, the final and simplest step is to include IYZWS, YOUR_API_KEY, and pkiString in the header, relatively.

...
"Authorization": "IYZWS"+" "+"YOUR_API_KEY"+":"+"pkiString"
...

In between IYZWS and YOUR_API_KEY there is a single line space.

Sample Pre-request Script of Authorization on Postman

Taking a dummy Bin Check request as an example, the authorization process would be as follows;

var apiKey = pm.variables.get("apiKey")
var secretKey = pm.variables.get("secretKey")

var binNumber = {
    locale:null,
    conversationId:null,
    binNumber:null,
};

function nullClear(obj){
    for (var member in obj) {
        
        if(obj[member] === null) {    
            delete obj[member];
        }
        else if (typeof obj[member] === 'object'){
            obj[member]=nullClear(obj[member]);
            if(Object.keys(obj[member]).length===0){
                delete obj[member];
            }
        }
    }
    
    return obj;
}

//Set json string to model
function jsonToObj(jsonString, obj) {
    var parsedJsonString = JSON.parse(jsonString)
    for(var key in parsedJsonString) {
        if(parsedJsonString.hasOwnProperty(key)) {
            if (typeof parsedJsonString[key] === 'object') {
                if(Array.isArray(parsedJsonString[key])){
                    for(var i = 0; i < parsedJsonString[key].length; i++){
                        if(key =="basketItems"){
                            obj[key].push(new BasketItem());
                            obj[key][i]=jsonToObj(JSON.stringify(parsedJsonString[key][i]), obj[key][i])
                        }else {
                            obj[key][i] = parsedJsonString[key][i];
                        }
                    }
                }else{
               obj[key] = jsonToObj(JSON.stringify(parsedJsonString[key]), obj[key])
                }
            }else{
                obj[key] = parsedJsonString[key];
            }
            
        }
    }
    obj = nullClear(obj);
    
    return obj;
}

//generate pki string of object
function generateRequestString(obj) {
    var isArray = Array.isArray(obj);
    
    var requestString = '[';
    for (var i in obj) {
        var val = obj[i];
        if (!isArray) {
            requestString += i + '=';
        }
        if (typeof val === 'object') {
            requestString += generateRequestString(val);
        } else {
            requestString += val;
        }
        requestString += isArray ? ', ' : ',';
    }
    requestString = requestString.slice(0, (isArray ? -2 : -1));
    requestString += ']';
    return requestString;
    
}    

//generate authorization string
function generateAuthorizationString(obj) {
    var requestString = generateRequestString(obj);
    var hashSha1 =  CryptoJS.SHA1(apiKey+request.headers["x-iyzi-rnd"]+secretKey+requestString);
    var hashInBase64 = CryptoJS.enc.Base64.stringify(hashSha1);
    var authorization = "IYZWS"+" "+apiKey+":"+hashInBase64;
    console.log(requestString);
    postman.setGlobalVariable("pkiString", apiKey+request.headers["x-iyzi-rnd"]+secretKey+requestString);
    return authorization
}

var requestModel = binNumber;
requestModel = jsonToObj(request.data, requestModel);
var authorization = generateAuthorizationString(requestModel)
postman.setGlobalVariable("authorization", authorization);

PreviousAuthentication NextSHA256 Authentication

Last updated 1 month ago