Authentication Overview

This API uses two authentication models depending on the endpoint:

1.AES-256 Encryption

Payment and Payout requests encrypt all transaction data into a single details parameter using AES-256-CBC. No API key header is sent — the encryption key itself serves as authentication.

How it works:

1. Assemble transaction fields as URL-encoded key-value pairs
2. URL-encode the concatenated string
3. Generate a random 16-byte Initialization Vector (IV)
4. Encrypt using AES-256-CBC with PKCS7 padding
5. Convert ciphertext and IV to uppercase hex strings
6. Send merchant_id, details (encrypted hex), and iv (IV hex) in the POST body

graph LR
    classDef box fill:#8e9d95,stroke:#8e9d95,color:#ffffff

    A[Plaintext fields]:::box --> B[URL encode]:::box
    B --> C[AES-256-CBC encrypt]:::box
    E[merchant_api_key]:::box --> C
    C --> D[HEX output]:::box
    D --> F["details + iv"]:::box
    
    linkStyle 0 stroke:#343434
    linkStyle 1 stroke:#343434
    linkStyle 2 stroke:#343434
    linkStyle 3 stroke:#343434
    linkStyle 4 stroke:#343434

The pre-request scripts in Payin and Payout requests handle this automatically using Postman's built-in CryptoJS library.

Credential-Based Auth

Reporting and DDR Verification endpoints authenticate via merchant_id and merchant_pass sent directly in the request body. No encryption is required.

or Access our Interac Postman Collection