Nuvei’s API authentication uses Cryptographic hash-based (SHA-256) tokens.
Nuvei will assign the following unique credentials to all merchants:
merchantId– Identifies you as the merchant. Provided to you by Nuvei. Needs to be sent with each request to our API.
merchantSiteId– Identifies your site ID. Provided to you by Nuvei. Needs to be sent with each request to our API.
merchantSecretKey– This is the authentication component of the hash. Provided to you by Nuvei.
Each payment request session starts with opening an order session request:
openOrder– Use this method to open a session if you are using the Web SDK.
getSessionToken– Use this method to open a session if you are using the server-to-server SDK.
The session expires after 15 minutes and a new session must be initiated.
Nuvei’s API security is based on Cryptographic hash-based (SHA-256).
The “hashing” or the “checksum” as it is sometimes called, must be a single string without spaces with the values of the following parameters in the exact order as listed below.
These are the fields to include in the checksum, in this order:
- amount (of the payment)
- currency (of the payment)
- clientRequestId – *This is optional, can be empty
- timestamp – A timestamp to make the hashing unique for the call
This is an of example checksum fields. Note, in this case we have not included the optional
- merchantSecretKey = Secret1234
- merchantId = 2389668057520747493
- merchantSiteId = 199116
- amount = 10
- currency = EUR
- timestamp = 2020-01-01 13:12:11
The concatenation of the string before hashing: Secret1234238966805752074749319911610EUR2020-01-01 13:12:11
The checksum value equals (SHA-256):