API Key – Shared Secret (x-pay-token) for Visa Checkout

The usage of the x-pay-token by Visa Checkout is the same as described in the previous section. However, its format is slightly different from the one described above. Specifically, the format of the token is as follows:

Format: Alphanumeric; maximum 100 characters in the form of x-pay-token: x:UNIX_UTC_Timestamp:SHA256_hash, where

  • UNIX_UTC_Timestamp is a UNIX Epoch timestamp
  • SHA256_hash is an SHA256 hash of the following unseparated items:
    • Shared secret associated with the API key
    • Timestamp from the transaction; exactly the same as UNIX_UTC_Timestamp
    • Resource path (API name)
    • This HTTPS request's query string, if it exists
      Note: The query string includes one or more parameters in name-value pair format, in which the name is separated from the value by an equal sign (=). Parameters are separated from each other by an ampersand (&) character. The initial question mark (?) is not included in the query string. The query string must be URL encoded, excepting the following characters, per RFC 3986: hyphen, period, underscore and tilde.
    • Complete request body, when a request body exists

Example: x-pay-token: x:1358092911:...

For further information and examples for creating a Visa Checkout x-pay-token, refer to Visa Checkout Integration Guide