Skip to main content

About the signature

In PagaSul, payment safety is one of our top priorities that's why we require that all API requests to the payment platform include a digital signature. For this reason, you should always generate a digital signature and include it in your requests before sending them.

When PagaSul receives your request, it verifies the received data by comparing your signature to the one generated in the payment platform. If the signatures don't match, the PagaSul payment platform won't process the payment.

The responses and callbacks that you get from the payment platform contain signatures as well. When you get responses or callbacks from PagaSul, you should verify the received data by comparing the signatures to the ones generated in your system.

To generate a signature for your request:

  1. Create a string of all the parameters from the request body including spaces, hyphens, and other symbols without using any conversions.
  2. Calculate the HMAC (hash-based message authentication code) of the string by using the SHA-512 hash function and the secret key you obtained from PagaSul when integrating.
  3. Convert the HMAC to the hexadecimal string.
  4. Encode the hexadecimal string by using base64.

Here's an example of signature generation by using the Go programming language.

func CalcHmacSha512(requestBody string, clientSecretKey string) string {
    h := hmac.New(sha512.New, []byte(clientSecretKey))
	  h.Write([]byte(requestBody))
	  // Get result and encode as hexadecimal string
	  return base64.StdEncoding.EncodeToString([]byte(hex.EncodeToString(h.Sum(nil))))
}