Signature
The signature is used to verify the integrity and authenticity of the API request. It ensures that the payload has not been altered (tampered with) during transmission and that the request originates from a trusted source.
Sign Strategy
- The signature is an HMAC-SHA256 hash generated from a sequence of parameter values combined with a secret key.
- The secret key is a server-side shared secret assigned to merchants by Fiuu.
- All parameters included in the message exchange are part of the signature calculation except:
- Empty parameters (not zero values).
- The
signatureparameter itself.
- Rules for generating the signature:
- Sort all parameter values alphabetically.
- Use original parameter values (do not URL-encode).
- Treat all parameters as case-sensitive.
- Include a datetime parameter in the signature to prevent duplicate transactions.
Example
For this example, we will use:
- MID:
603778000000001 - TID:
91100033 - merchantId:
fiuuMerch1 - secretKey:
75DC529B942513DFA77F43EC3451F137
Sample Sale Request Payload
{
"transType": "sale",
"posId": "fiuuPos1",
"merchantId": "fiuuMerch1",
"deviceId": "fiuuDeviceId1",
"referenceId": "fiuuPosRefId1",
"referenceLabel": "Contrib ID",
"apiVersion": "v1",
"datetime": "20250115081928",
"transData": {
"transAmt": "1.00",
"paymentMethod": "bankCard",
"note": "This is a test note"
}
}
Step 1: Extract Parameter Values
Flatten the payload into a list of values:
[
"sale",
"fiuuPos1",
"fiuuMerch1",
"fiuuDeviceId1",
"fiuuPosRefId1",
"Contrib ID",
"v1",
"20250115081928",
"1.00",
"bankCard",
"This is a test note"
]
Sample function to flatten the object in multiple languages:
- JavaScript
- PHP
- C#
- Java
- Go
- Dart
function flattenObject(obj) {
let result = [];
for (let key in obj) {
if (typeof obj[key] === "object" && obj[key] !== null) {
result = result.concat(flattenObject(obj[key]));
} else {
result.push(obj[key]);
}
}
return result;
}
function flattenObject($obj) {
$result = [];
foreach ($obj as $key => $value) {
if (is_array($value) || is_object($value)) {
$result = array_merge($result, flattenObject((array)$value));
} else {
$result[] = $value;
}
}
return $result;
}
using System.Collections.Generic;
List<object> FlattenObject(Dictionary<string, object> obj)
{
var result = new List<object>();
foreach (var kv in obj)
{
if (kv.Value is Dictionary<string, object> nested)
{
result.AddRange(FlattenObject(nested));
}
else
{
result.Add(kv.Value);
}
}
return result;
}
import java.util.*;
public static List<Object> flattenObject(Map<String, Object> obj) {
List<Object> result = new ArrayList<>();
for (Map.Entry<String, Object> entry : obj.entrySet()) {
Object value = entry.getValue();
if (value instanceof Map) {
result.addAll(flattenObject((Map<String, Object>) value));
} else {
result.add(value);
}
}
return result;
}
func FlattenObject(obj map[string]interface{}) []interface{} {
result := []interface{}{}
for _, v := range obj {
if nested, ok := v.(map[string]interface{}); ok {
result = append(result, FlattenObject(nested)...)
} else {
result = append(result, v)
}
}
return result
}
List<dynamic> flattenObject(Map<String, dynamic> obj) {
List<dynamic> result = [];
obj.forEach((key, value) {
if (value is Map<String, dynamic>) {
result.addAll(flattenObject(value));
} else {
result.add(value);
}
});
return result;
}
Step 2: Sort Values Alphabetically
[
"1.00",
"20250115081928",
"Contrib ID",
"This is a test note",
"bankCard",
"fiuuDeviceId1",
"fiuuMerch1",
"fiuuPos1",
"fiuuPosRefId1",
"sale",
"v1"
]
Step 3: Concatenate Sorted Values
Concatenate the actual values of the parameters in the sorted order:
1.0020250115081928Contrib IDThis is a test notebankCardfiuuDeviceId1fiuuMerch1fiuuPos1fiuuPosRefId1salev1
Step 4: Generate HMAC-SHA256 Hash
Apply HMAC-SHA256 using the secret key:
HMAC_SHA256(
"1.0020250115081928Contrib IDThis is a test notebankCardfiuuDeviceId1fiuuMerch1fiuuPos1fiuuPosRefId1salev1",
"75DC529B942513DFA77F43EC3451F137"
);
Resulting Hash:
e2c28c6eb6470e99ead904decf5a70e14f99c2a3f6f43597221557dc4614fc66