Security

MAC (Message Authentication Code), an algorithm that confirms that a given message comes from its sender and that the data in the message has not been altered.

Signature

Every request to Vita Business API must be signed using HMAC-SHA256 algorithm, and the signature's content included in the Autorización header as documented below. This header must have as a prefix the signature version and hash function used, which is currently V2-HMAC-SHA256.

Header	Type	Description
x-date	String	ISO8601 Datetime with Timezone. For instance2018-07-12T13:46:28.629Z
x-login	String	Business xLogin
x-api-key	String	Business xTransKey
Content-Type	String	application/json
Authorization	String	<auth version>, Signature: <hmac(secretKey, "X-Login+X-Date+RequestBody")>

Authorization header example

Authorization: V2-HMAC-SHA256, Signature: 80ebe700c5db952bd4c60ae53fe1971ec6e4fe84dc0922b67eca6b3e18707260

HAMC signatures generation examplesin the most popular programming languages.

Ruby

RequestBody = hash.sort.join
signature = OpenSSL::HMAC.hexdigest('sha256', secretKey, "#{$X-Login}#{$X-Date}#{RequestBody}")

Other languages

In the integrations section of the merchant's Vita Wallet account, you can find a button to request access credentials for Vita Business. We will send an email with the instructions.

To use the services of Vita Business, you will need to register the IP addresses in the integration section. Once your tests are successful, you will need to contact us at ayuda@vitawallet.io to register your merchant's IP addresses in the production environment.

NOTE

The IP addresses in the production environment MUST be STATIC (they must not vary)

The request hash was joined into a single string of all key-value pairs, alphabetically sorted and concatenated without separators.

If the request body is null, then the signature must be calculated without the request body.

Example hash = { "order": "xyz", "amount": 400 } RequestBody = hash.sort.join # amount400orderxyz