Nuvei’s API authentication uses Cryptographic hash-based (SHA-256) tokens.
First, as a merchant you will be assigned unique credentials:
merchantId – Identifies you as the merchant. Provided to you by Nuvei. Needs to be sent with each request to our API.
merchantSiteId – Identifies your site ID. Provided to you by Nuvei. Needs to be sent with each request to our API.
merchantSecretKey – This is the authentication component of the hash. Provided to you by Nuvei.
Each payment request session starts with opening an order session request:
openOrder – Use this method to open a session if you are using the Web SDK.
getSessionToken – Use this method to open a session if you are using the server-to-server SDK.
The session expires after 15 minutes and a new session must be initiated.
Nuvei’s API security is based on Cryptographic hash-based (SHA-256).
The “hashing” or the “checksum” as it is sometimes called, must be a single string without spaces with the values of the following parameters in the exact order as listed below.
- amount (of the payment)
- currency (of the payment)
- clientRequestId – *This is optional, can be empty
- timestamp – A timestamp to make the hashing unique for the call
- merchantSecretKey = Secret1234
- merchantId = 2389668057520747493
- merchantSiteId = 199116
- amount = 10
- currency = EUR
- timestamp = 2020-01-01 13:12:11
* Note: Not using the optional
clientRequestId in this call.
The concatenation of the string before hashing: Secret1234238966805752074749319911610EUR2020-01-01 13:12:11
In this example, the checksum value equals (SHA-256):