Authentication
All requests to EdfaPay APIs require secure authentication using a hash-based mechanism to validate request origin and ensure data integrity. EdfaPay employs a shared-secret hashing method for high security.
How Authentication Works
Authentication involves generating a hash using key fields and your merchant secret password. This hash is sent with the API request for data integrity and authenticity validation.
Hash Generation Logic
To generate the hash:
Required Fields:
payer_email: Customer's email addresscard_number: Customer’s card (PAN) - use first 6 digits + last 4 digits only.password: Secret hash password provided by EdfaPay.
Hash Formula:
HASH = MD5( UPPERCASE( Reverse(payer_email) + password + Reverse(first6PAN + last4PAN) ) )Example - JavaScript Hash Generation
const password = "YOUR_SECRET_HASH_PASSWORD";
const email = "[email protected]";
const cardNumber = "5123456789012346"; // Full card number
const reverse = str => [...str].reverse().join('');
const baseString = reverse(email) + password + reverse(cardNumber.slice(0, 6) + cardNumber.slice(-4));
const finalHash = CryptoJS.MD5(baseString.toUpperCase()).toString();
console.log("Generated Hash:", finalHash);Note: Use CryptoJS.MD5 or a similar MD5 hashing utility in your backend language.
Sending the Hash
Include the generated hash in your request as a field named hash.
--form 'hash="e3aab9d93e1b43a0a872bd8442f76c01"'Authentication & Security Best Practices
| Practice | Description |
|---|---|
| Hash Server-side | Always generate the hash on the server, never client-side. |
| Use HTTPS | All API endpoints require HTTPS; HTTP requests will be blocked. |
| Keep Secret Password Safe | Do not hardcode your password; store it in secure environment variables. |
| Limit IPs (if applicable) | Optionally restrict access to known IPs (contact support). |
| Monitor Activity | Track unusual transaction volume or failed hash verifications. |
| Rotate Secret Periodically | Change your password every 60-90 days. |
| Secure Webhooks | Validate incoming hashes on webhook responses to verify authenticity. |
Authentication Request Possible Errors
| Error Code | Message | Cause | Action |
|---|---|---|---|
AUTH_HASH_MISSING | Hash value is missing | The hash field was not sent. | Ensure hash is included in request. |
AUTH_HASH_INVALID | Hash mismatch | Incorrect hash, wrong password, or incorrect fields. | Regenerate hash and check all values. |
MERCHANT_DISABLED | Merchant account is disabled | Your EdfaPay account is not active. | Contact support. |
INVALID_CLIENT_KEY | Invalid client key | Wrong client_key or malformed value. | Verify client_key is correct. |
UNSECURE_CONNECTION | Request not over HTTPS | Request sent via HTTP. | Always use HTTPS endpoints. |
Important Notes:
- Include a valid hash in every payment-related request (SALE, AUTH, RECURRING, etc.).
- The full card number is only used during hash generation, not sent with the final payload.
- If the hash does not match on the server, the request will be rejected immediately.
Updated 13 days ago