2025-03-25
  • 2025-03-25
  • 2025-01-20
  • 2022-03-14
Help Center
VCCHUB How-to
2025-03-25
  • 2025-03-25
  • 2025-01-20
  • 2022-03-14
  1. API Reference
  • Guides
    • Welcome
    • Interface
  • API Reference
    • Introduction
    • Endpoints
    • Data Types
    • Signing
    • 3-D Secure Verification
    • Subscription
    • Errors
    • Webhooks
    • Items Information
    • Changelog
    • Acquiring
      • Create a direct payment
        POST
      • Create a APM payment
        POST
      • Create a redirect (iFrame) payment
        POST
      • Query a transaction
        POST
      • Capture a transaction
        POST
      • Review a transaction
        POST
      • Cancel a transaction
        POST
      • Cancel a subscription
        POST
      • Refund a transaction
        POST
      • Search a refund transaction
        POST
      • Create a payout
        POST
      • Optimise payment methods
        POST
    • Issuing
      • Cardholder
        • Create cardholder
        • Delete cardholder
        • Query cardholder
      • Group
        • Create group
        • Query group details
        • Delete group
        • Group Card Withdrawal
        • Update group status
        • Recharge group
        • Query rule
      • Card
        • Create a card
        • Query card details
        • Query card transaction
        • Cancel a card
        • Withdraw from a card
        • Update card status
        • Recharge card
        • Update shared card limit
        • Query for card operation
        • Query card BIN
  • Appendix
    • Test Cards
    • Bank Code
    • Country Code
    • Currency Code
    • Payment Methods
  1. API Reference

Signing

Acquiring Integration#

The request body (payload) must be signed to ensure the integrity and authenticity of the message. To generate a signature hash, Star SaaS provides each merchant with a Signature Key.
Every Merchant Account is assigned at least one Signature Key, which is used for signing API requests and receiving signed notifications from Star SaaS. Each Signature Key has a unique Key ID, and only one default Key ID can be active at a time for the Merchant Account. This allows Star SaaS to identify which key to use when sending notifications.
The Signature Key is uniquely generated and shared between the Merchant and Star SaaS. The signature itself is computed as a SHA256 (32-byte) hash and returned as a 64-character hexadecimal string.

Keys#

The Star SaaS API uses API keys for secure request encryption. To obtain your API key pairs, please reach out to your account manager.
Star SaaS provides separate API keys for test and live environments. Ensure you switch to the appropriate keys and endpoint URL when transitioning from the test environment to the live environment to avoid processing real transactions during testing.
All API requests must be sent over HTTPS, as calls made via HTTP will fail. Additionally, any API requests lacking proper encryption (using SHA256) will be rejected.
Keep Sign Key confidential!
Since your API keys provide extensive access, it’s crucial to keep them safe! Never share your secret API keys in publicly accessible locations like GitHub, client-side code, or similar areas.

How to encrypt#

JAVA
PHP
$encryption_data=sha256(merchant_id+account_id+order_no+currency+amount+first_name+
last_name+card+expiration_year+expiration_month+security_code+shopper_email+sign_key);
APM:
$encryption_data=sha256(merchant_id+account_id+order_no+currency+amount+
first_name+last_name+shopper_email+sign_key);
Alternatively, you can use this online tool to generate encryption data for testing purposes
https://tools.keycdn.com/sha256-online-generator
image.png
SHA256 Generator Example

Issuing Integration#

To ensure the security of API requests, the system uses a signature (sign) mechanism. The signature is generated based on the following encryption process. Developers must implement this logic to generate the signature and include it in the API request.

Encryption Method#

1.
Sort Parameters:
a. Collect all parameters (keys and values) from the API request.
b. Exclude the sign field.
c. Sort the parameters alphabetically by their keys.
2.
Create a JSON String:
a. Convert the sorted parameters into a JSON-formatted string.
3.
Concatenate the Signature Key:
a. Append the pre-shared signkey to the JSON string.
4.
Hash Using SHA256:
a. Encrypt the concatenated string using the SHA256 algorithm to generate the sign value.

Code Example#

Below is a Java example demonstrating the signature generation process:
JSONObject dataJson = JSONObject.from(params);
TreeMap<String, Object> tempMap = new TreeMap<>();
dataJson.forEach((k, v) -> {
    if (!k.equals("sign")) {
        tempMap.put(k, v);
    }
});
String dataJsonStr = JSONObject.toJSONString(tempMap);
String sign = EncryptUtils.findSHA256Encrypt(dataJsonStr+signkey);
Notes
● The sign value must be generated on the server and included in the request payload.
● The server validates the signature using the same logic. If the signature is invalid, the request will be rejected.
● Keep the signkey confidential to avoid security risks.

Example Scenario#

Given the following input parameters:
{
  "card_alias": "",
  "card_bin_id": 123,
  "card_type": "false",
  "cardholder_id": "1872205474338832123",
  "company_id": 1123,
  "cross_currency": true,
  "enable_multi_use": true,
  "end_date": "2025-01-11",
  "recharge_amount": 5,
  "request_id": "123",
  "start_date": "2025-01-07"
}
Steps:
1.
Sort Parameters:
Alphabetically sorted JSON:
{"card_alias":"","card_bin_id":101,"card_count":1,"card_type":"false","cardholder_id":"1872205474338832384","company_id":1801,"cross_currency":true,"enable_multi_use":true,"end_date":"2025-01-11","group_id":"","recharge_amount":5,"request_id":"113","start_date":"2025-01-07"}
2.
Concatenate Sign Key:
{"card_alias":"","card_bin_id":101,"card_count":1,"card_type":"false","cardholder_id":"1872205474338832384","company_id":1801,"cross_currency":true,"enable_multi_use":true,"end_date":"2025-01-11","group_id":"","recharge_amount":5,"request_id":"113","start_date":"2025-01-07"}<signkey>
3.
Generate SHA256 Hash
Use the SHA256 algorithm to hash the concatenated string. The result becomes the sign value.
Ensure your implementation follows these steps to maintain the integrity and security of API interactions.
Previous
Data Types
Next
3-D Secure Verification