Authentication

Good to know: A quick start guide can be good to help folks get up and running with your API in a few steps. Some people prefer diving in with the basics rather than meticulously reading every page of documentation!

Overview

Finswich API uses API keys to authenticate requests. You can view and manage your API keys on the Finswich app

Test mode secret keys have the prefix (test) and live mode secret keys have the prefix (live)

Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

You can generate an API key from your Dashboard at any time.

Getting your API Keys

Retrieve API Keys from Merchants Dashboard. API keys are downloaded in a CSV file after inputting your Finswich password.

Going live

How Authentication Works

During the "Complete Transaction Event" , Finswich makes a post to the merchants outgoing webhook, we hash the payload (req.body) and add in the request header a custom field "x-finswich-signature" which contains the hash of the payload.

The payload is hashed using the merchant's secret key and a SHA 512 hashing algorithm . This allows the merchant to confirm the integrity of the data being received from us. The merchant rehashes with the same hashing algorithm and secret key if the hashes do not match then the payload must have been tempered with, and therefore should be discarded

headers = {
 "x-finswich-signature": hashed_payload,
 "x-public-key": public_key,
 "x-origin": your whitelisted URL
}
body: { txn_reference: txn_ref, auth_code }