Request Signature in Kukuruku API
Authorization Data
You can get it in your dashboard. Example:
secretKey: rmQXpjQyAtzS65oVhRLwY9s669UyDKJlmerchant_id: 1
They are issued after registering your project in the Kukuruku system.
Signing Requests
Every request sent to Kukuruku must include the merchant_id field in the body, and a signature header in the HTTP headers, which is generated as follows:
Take the JSON string of the request body, compute its HMAC using the SHA512 algorithm, and use your secretKey as the secret key.
Example in NodeJS:
const axios = require('axios')
const sha512 = require('js-sha512').sha512
const headers = {}
const data = {
merchant_id: 1,
amount: 500,
currency: "RUB",
callback_url: "https://your-site.com/callback",
order_number: "orderNumber",
redirect_success_url: "https://your-site.com/success",
redirect_fail_url: "https://your-site.com/fail",
customer: {
client_id: "someuser@gmail.com"
}
}
const signature = sha512.hmac('rmQXpjQyAtzS65oVhRLwY9s669UyDKJl', JSON.stringify(data))
headers.signature = signature
await axios({
method: 'POST',
url: 'https://api.kukuruku.win/api/v1/orders/payins',
data,
headers
})
Signature Verification
Any request sent from KukuPay to the merchant will include a signature field in the headers, which must be verified on the merchant’s side as follows:
Take the JSON string of the request body, then compute the HMAC using the SHA512 algorithm, and use your secretKey as the secret key.
Example in NodeJS:
const sha512 = require('js-sha512').sha512
const request = {
data: {
...
},
headers: {
signature: 'ca7ec944b0dbd83fd856167ddba2d2add2167f63dfc40b4f658eb22402ecc9340a9a0026d095afe7c52081a8bd8a5c2e153f695c95d7bdaaf09010dc9d85932d'
}
}
const signature = sha512.hmac('rmQXpjQyAtzS65oVhRLwY9s669UyDKJl', JSON.stringify(request.data))
if (signature !== request.headers.signature) return 'Invalid Signature'