Skip to main content

Need to know

Pre-requisites

Before starting to build your payment extension, make sure you have registered your payment extension in your partner panel and obtained Extension API Key and Extension API Secret.

Verifying API calls

To keep the communication between Fynd platform and payment extension secure, Fynd Platform uses checksum generated using Extension API Secret to verify communications. Refer below guide to know how the payment API are verified.

Verifying Initiate Payment Transaction and Initiate Refund Transaction API

Follow below steps:

  1. Generate checksum by creating hash of payload body of these requests using HMAC algorithm and signed using Extension API Secret. Sample code.
  2. Compare the checksum generated in step 1 with the checksum header received in these API requests. Only if both checksum match, it should proceed with the request.

Passing checksum in updatePaymentSession and updateRefundSession API

Follow below steps:

  1. Generate checksum by creating hash of request body using HMAC algorithm and signed using Extension API Secret. Sample code.
  2. Pass the checksum generated in step 1 in request body when calling updatePaymentSession and updateRefundSession API
  3. Fynd platform validates API request using this checksum.

Sample code for checksum generation of request payload

import hmac
import hashlib
import json

payload = {} # python dictionary of request body
secret = "EXTENSION_API_SECRET" # EXTENSION_API_SECRET
message = json.dumps(payload, separators=(',', ':'))
hmac_obj = hmac.new(secret.encode('utf-8'), message.encode('utf-8'), hashlib.sha256)
checksum_auth = hmac_obj.hexdigest()
print(checksum_auth)

Verifying Get Payment Status and Get Refund Status API

Follow below steps:

  1. Generate checksum from payment transaction ID gid parameter received in these API requests using HMAC algorithm and signed using Extension API Secret. Sample code.
  2. Compare the checksum generated in step 1 with the checksum header received in these API requests. Only if both checksum match, it should proceed with the request.

Sample code for checksum generation of transaction ID

import hmac
import hashlib
import json

secret = "EXTENSION_API_SECRET" # EXTENSION_API_SECRET
message = "gid" # order gid
hmac_obj = hmac.new(secret.encode('utf-8'), message.encode('utf-8'), hashlib.sha256)
order_checksum_auth = hmac_obj.hexdigest()
print(order_checksum_auth)

Verifying get activation status API

Follow below steps:

  1. Generate checksum by encoding Extension API Secret using base64 encoding. Sample code.
  2. Compare the checksum generated in step 1 with the authorization header received in this API request. Only if both checksum match, it should proceed with the request.

Sample code for checksum generation using base64 encoding of extension API secret

import base64

secret = bytes("EXTENSION_API_SECRET", 'utf-8')
basic_auth = "Basic " + base64.b64encode(secret).decode('utf-8')
print(basic_auth)

Idempotency

The payment extension must support idempotency to ensure consistent data and a seamless buyer experience. This can be done by using transaction ID gid which will be unique for each transactaion. For example if extension receives multiple payment (or refund) initiate calls from platform for same gid, then extension must only process first request and for subsequent requests it should return the order ID (or refund ID) generated in the first request only and not create new orders (or refunds).


Was this section helpful?