Wallet API is composed of two different, but related features:

  1. To get information about Paysera system's user and his/her account;
  2. To make payments between Paysera accounts. This includes sending, receiving and coordinating payments.

Terms used in API

Most of the terms represent resources, available in API. For more detailed descriptions please refer to the documentation available in other chapters of the specification.

Client - This one is used to refer to the API client - your script or application, which makes requests to the API. Client permissions are configurable and also depend on the client type (web-based client, mobile application, physical location etc.)

Project - The project has an owner and a default account for incoming payments. Several different clients can make requests representing the same project. Similarly, one client sometimes can represent several different projects.

User - A registered user in Paysera system. It can be a person or a company.

Account - An account with balance, belonging to a user. Users can have permissions to use other accounts than their own, this is always the case for company's accounts - only persons can access them.

Wallet - A wallet is always related to a certain user and a certain account. Each user can have one or more wallets, each of them can have different limits, options etc. A wallet can be related to a card or other identifier, so it's possible for a user to have several wallets, related to the same account.

Allowance, Payment and Transaction - A transaction is a combination of Payment(s) and possibly an Allowance. The user confirms the transaction on a web page by providing some secret information, like PIN, or in advance by using an allowance. The transaction is related to a specific wallet and it's limits are used to validate the payments. Each payment has a beneficiary, which is also a wallet, usually belonging to the project.

How to start?

Step 1. Read the documentation

First of all, before continuing you should read the documentation to find out if it's the right tool, which you are looking for.

Step 2. Get Paysera account

There are two types of accounts which could be used with an integration:

  • Production is used as a real environment. To obtain an account register in Paysera.
  • Sandbox is used as a developing environment. To obtain an account, register in Paysera Sandbox.

Watch video instructions

Step 3. Sign an Agreement

Contact Paysera with a description of how are you going to use specific API, which API will be used and will it be used with Production or Sandbox. You might be asked to provide additional information.

Signing an agreement can be skipped if Sandbox environment will be used, but we strongly advise to sign an agreement at any case, as only with an agreement you might be sure, that we will allow using our services in Production.

Step 4. Get API client configured

Read the chapter about Authentication and choose the method you prefer, inform Paysera about your selection. It takes time to configure all, so when it will be ready, we will send credentials to your specified address.

Sandbox and Production environments are different, so you won't be able to use the same credentials from one environment on another.

Info Sandbox client can be configured without an agreement, while Production client requires an agreement.

Authentication

All API calls must be authenticated. Currently, two authentication schemes are used:

  • By using MAC access authentication - providing the signature of the request as a header in each request. The shared secret key is used, but never sent with the request. This authentication protocol is always used to provide the access token (getting user's information).
  • By using SSL client certificate. Before using this protocol, the owner of the client provides a certificate request for Paysera administrators. The certificate request is signed and the certificate is provided back to the client's owner. This certificate, together with the related private key, is used to sign each API request. This method is safer, as the secret is never shared w ith Paysera system - the private key is known only to the client.

In any case, all requests to the Paysera system are made using HTTPS protocol. Paysera system always authenticates the client, but the client needs to be sure that the authentication on Paysera server is performed too. For all API calls, the certificate of Paysera server must be checked for validity. This protects from DNS spoofing, MITM, and similar attacks.

MAC access authentication

MAC access authentication used in API is based on the OAuth 2.0 Message Authentication Code (MAC) Tokens specification.

Before using API, you must register your app in Paysera system. Public registration is not yet available, please contact our support to register the client for this API. You will be provided with your credentials, for example:

client_id:     wkVd93h2uS
mac_key:       IrdTc8uQodU7PRpLzzLTW6wqZAO6tAMU
mac_algorithm: hmac-sha-256
Important mac_key must be kept secret at all times.
Info You are recommended to use provided libraries that do most of the authentication work for you, if one is available for your programming language.
Info All MAC authentication header examples in this specification are valid and generated with these credentials.

At each request to API the client must construct an authentication header by calculating the UNIX timestamp and generating a random string used as a nonce. From these values, together with the HTTP request method, request URI, hostname, port and mac_key, the client has to calculate hash using the algorithm defined by mac_algorithm. This calculated hash is mac value, which must be included in the authorization header.

Authorization header

Authorization header must contain the authorization protocol (MAC) and the following parameters:
  • id - ID assigned to the client making the request (client_id);
  • ts - calculated UNIX timestamp;
  • nonce - randomly generated value; only characters in ranges %x20-21 / %x23-5B / %x5D-7E can be used;
  • mac - calculated hash of request values and mac_key;
  • ext - extension to MAC protocol. May contain parameter body_hash and extra parameters project_id, location_id. Parameters are URL-encoded. body_hash is the result of sha256 and base64 encoded request content if it's present. If there is no content, body_hash should be omitted. ext can be empty if there are no parameters, including body_hash.
Example:
GET /rest/v1/payment/10145 HTTP/1.1
Host: wallet.paysera.com
User-Agent: Paysera WalletApi PHP library
Authorization: MAC id="wkVd93h2uS", ts="1343811600", nonce="nQnNaSNyubfPErjRO55yaaEYo9YZfKHN", mac="/qxTA8FOgT0Dd0MHh9k/sUQ3Q38ckx8+S0PBxpIuttY="

Calculating MAC value

mac value is calculated from the normalized request string and mac_key parameter.
Normalized request string
The normalized request string is constructed by concatenating together, in order, the following HTTP request elements, each followed by a new line character (%0A when urlencoded, \n in most of programming languages):
  1. timestamp;
  2. nonce;
  3. HTTP request method in upper case;
  4. HTTP request URI;
  5. Host request header in lower case;
  6. Request port - in this API always 443;
  7. The value of ext field - URL-encoded string containing various extra parameters.
An example - a corresponding normalized request string for previously given request, \n given just for clarity and represents a new line character:
1343811600\n
nQnNaSNyubfPErjRO55yaaEYo9YZfKHN\n
GET\n
/rest/v1/payment/10145\n
wallet.paysera.com\n
443\n
\n
Warning New line character must be put after each of elements, even after the last one when it is just an empty string

MAC calculation algorithm

If MAC algorithm is hmac-sha-256, mac is calculated using HMAC algorithm together with the sha256 hash function:
mac = HMAC-SHA256(mac_key, normalizedRequestString)

Please refer to HMAC and SHA256 specifications for more details on these algorithms.

The result is provided as a binary result, encoded in base64.

SSL client certificate authentication

When using this authentication scheme, no additional headers are needed. To register the certificate with Paysera system, the certificate request must be provided for our administrators to generate the signed certificate.

Before generating the certificate request, a private key must be generated. Always keep the private key securely and don't disclose it even to Paysera administrators.

For example, the certificate request can be generated using openssl command line client:

openssl genrsa -out private.pem 2048
openssl req -new -key private.pem -out certificate_request.csr

Country Name (2 letter code) [AU]:LT
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Vilnius
Organization Name (eg, company) [Internet Widgits Pty Ltd]:UAB Some Company
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:info@example.com
Info Skip an input field with a name An optional company name [] when generating a certificate request