API Authentication
Nuvei’s API authentication uses Cryptographic hash-based (SHA-256) tokens.
Nuvei will assign the following unique credentials to all merchants:
-
merchantId– Identifies you as the merchant. Provided to you by Nuvei. Needs to be sent with each request to our API. -
merchantSiteId– Identifies your site ID. Provided to you by Nuvei. Needs to be sent with each request to our API. -
merchantSecretKey– This is the authentication component of the hash. Provided to you by Nuvei.
Session Token
Each payment request session starts with opening an order session request:
-
openOrder– Use this method to open a session if you are using the Web SDK. -
getSessionToken– Use this method to open a session if you are using the server-to-server SDK.
The session’s opening request retrieves a sessionToken which you will use to send each call in the session (e.g. /payment, /getPaymentStatus, etc.).
The session expires after 15 minutes and a new session must be initiated.
Hashing Calculation (the “checksum” field)
Nuvei’s API security is based on Cryptographic hash-based (SHA-256).
The “hashing” or the “checksum” as it is sometimes called, must be a single string without spaces with the values of the following parameters in the exact order as listed below.
These are the fields to include in the checksum, in this order:
- merchantSecretKey
- merchantId
- merchantSiteId
- amount (of the payment)
- currency (of the payment)
- clientRequestId – *This is optional, can be empty
- timestamp – A timestamp to make the hashing unique for the call
This is an of example checksum fields. Note, in this case we have not included the optional clientRequestId field:
- merchantSecretKey = Secret1234
- merchantId = 2389668057520747493
- merchantSiteId = 199116
- amount = 10
- currency = EUR
- timestamp = 2020-01-01 13:12:11
The concatenation of the string before hashing: Secret1234238966805752074749319911610EUR2020-01-01 13:12:11
The checksum value equals (SHA-256): 1c9becc3578b75b845228a03ec3aa11f6d0e3e680a3f49392fe4d269c74ae020