Payment Gateway

Hash-Based Signature

A signature is a unique code used to ensure the security and authenticity of data during a transaction. The signature is created using cryptographic algorithms such as RSA and SHA-256. Each time a request is received, Espay will validate the signature to ensure that the transaction data originates from you and has not been altered during transmission.
Each Espay service has a different parameter format for generating its signature. Below is the parameter combination format along with its corresponding services:
Service Message Combination
Virtual Account / Send Invoice.
Visit the service here.
Request
Signature Key + rq_uuid + rq_datetime + order_id + amount + ccy + comm_code + SENDINVOICE
Inquiry Transaction
Visit the service here.
Request
Signature Key + rq_datetime + order_id + INQUIRY
Response
Signature Key + rq_uuid + rs_datetime + order_id + error_code + INQUIRY-RS
Payment Notificatio
Visit the service here.
Request
Signature Key + rq_datetime + order_id + PAYMENTREPORT
Response
Signature Key + rq_uuid + rs_datetime + error_code + PAYMENTREPORT-RS
Check Payment Status
Visit the service here.
Request
Signature Key + rq_datetime + order_id + CHECKSTATUS
Expire Transaction
Visit the service here.

Request
Signature Key + rq_datetime + order_id + EXPIRETRANSACTION
Credit Card - Tokenization
Visit the service here.
Request
Signature Key + comm_code + trx_id + amount
Credit Card - Capture
Visit the service here.
Request
Signature Key + comm_code + trx_id + amount
Credit Card - Void
Visit the service here.
Request
Signature Key + comm_code + trx_id
Credit Card - Refund
Visit the service here.
Request
Signature Key + comm_code + trx_id + amount
Push To Pay / QRIS / Linkage
Visit the service here.
Request
rq_uuid + comm_code + product_code + order_id + amount + signature key + PUSHTOPAY
Settlement Notification
Visit the service here.
Request
rq_uuid + rq_datetime + sender_id + receiver_id
Payment Link
Visit the service here.
Request
comm_code + orderid + amount + key + datetime + password
Signature Component
Component Description
amount
Paid amount.

Example:
150000
ccy
Transaction currency code.

Value:
  • Rupiah: IDR
comm_code
Merchant code from Espay team.

Example:
SGWDIGALLERY
error_code
Error code.

Example:
0000
Key
API Key from Espay team.
order_id / orderid
Unique code to identify the order/billing/invoice.

Example:
Transaction number, invoice ID, etc.
rq_uuid
Request identifier. A unique ID used to identify messages.
rq_datetime / datetime
Date and time of the transaction request.

Example:
2024-01-01 14:39:11
rs_datetime
Date and time of the transaction response.

Example:
2024-01-01 14:39:11
SignatureKey
Signature key from Espay team.

Example:
s8qndd0ghZdrl04r
In this Hash-Based Signature, there are three types of signature formats that you need to use according to their purpose:
  1. Signature Format for Settlement Notification
  2. Universal Signature Format
  3. Signature Format for Payment Link
Comparison of the 3 Signature Formats
Settlement Notification Signature Format Universal Signature
Format		 Payment Link Signature
Format
Specifically for the Settlement Notification service.
Used for all services listed in the Format Combination Parameter table, except Settlement Notification and Payment Link.
Specifically for the Payment Link service.
Do not use ## as a separator.
Uses ## as a separator between fields.
Uses ## as a separator between fields.
Uppercase conversion is not required for the combined format.
Uppercase conversion is required for the combined format.
Uppercase conversion is not required for the combined format.
Implemented using MD5 and SHA1 algorithms.
Implemented using the SHA256 algorithm.
Implemented using the SHA256 algorithm.
rq_uuid+rq_datetime+sender_id+receiver_id
The parameter combination is customized based on the service being used.
##comm_code##orderid##amount##key##datetime##password##
How to Create a Signature for the Settlement Notification Service

Here are the steps to generate a signature for the Settlement Notification Settlement Notification service:

  1. Combine the signature parameters specified by Espay.
  • Settlement Notification Service Example
rq_uuid : cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504
rq_datetime: 2024-01-01 14:39:11
sender_id: GOWORLDPG
receiver_id: SGWYESSISHOP
Parameter combination
rq_uuid + rq_datetime + sender_id + receiver_id
Combination format
cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f48081305042024-01-01 14:39:11GOWORLDPGSGWYESSISHOP
  1. Generate the hash using the MD5 algorithm.
  • Settlement Notification Service Example
Format before hash MD5
cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f48081305042024-01-01 14:39:11GOWORLDPGSGWYESSISHOP
Format after hash MD5
cc29f34e06e17749b0b82e9bf8c4229a
  1. Generate a SHA1 hash from the MD5 output.
  • Settlement Notification Service Example
Format before SHA1
cc29f34e06e17749b0b82e9bf8c4229a
Format after SHA1
591e6edde42e0d63705ccca9d7ff077392aa7f03
How to Generate Signature for Universal Service
Here are the steps to create a signature based on the service requirements being used:
  1. Combine the signature parameters specified by Espay using "##" as the separator.
  • Send Invoice Service Example
Combination format
##SignatureKey##rq_uuid##rq_datetime##order_id##amount##ccy##comm_code##SENDINVOICE##
##cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504##rfbd39734-ed32-490d-98c4-e91bcd91037a##2024-01-01 14:39:11##ORDER001##100000##IDR##SGWDIGALLERY##SENDINVOICE##
  • Payment Link Service Example
Combination format
##comm_code##orderid##amount##key##datetime##password##
##ESPAYCOMMCODE##ORDER001-JKT-2020##200000.00##rwjfiwhrwrwhugdsdfyfyd##2020-08-08 09:17:45##P@ssw0rd!##
  1. Convert the combined string from step 1 into uppercase.
  • Send Invoice Service Example
Format before uppercase
##cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504##rfbd39734-ed32-490d-98c4-e91bcd91037a##2024-01-01 14:39:11##ORDER001##100000##IDR##SGWDIGALLERY##SENDINVOICE##
Format after uppercase
##CC256D3A2D7687E6F4E1F4217C534BC6B18F66E3552AA9D312F5F4808130504##RFBD39734-ED32-490D-98C4-E91BCD91037A##2024-01-01 14:39:11##ORDER001##100000##IDR##SGWDIGALLERY##SENDINVOICE##
  • Payment Link Service Example
The format for the Payment Link service is not converted to uppercase.
##ESPAYCOMMCODE##ORDER001-JKT-2020##200000.00## rwjfiwhrwrwhugdsdfyfyd##2020-08-08 09:17:45##P@ssw0rd!##
  1. Apply the SHA-256 hashing algorithm to the formatted string from step 2.
  • Payment Link Service Example
Format after hash SHA-256
##CC256D3A2D7687E6F4E1F4217C534BC6B18F66E3552AA9D312F5F4808130504##RFBD39734-ED32-490D-98C4-E91BCD91037A##2024-01-01 14:39:11##ORDER001##100000##IDR##SGWDIGALLERY##SENDINVOICE##
Format before hash SHA-256
b474188c95439412262f5808473caa8c12676acf4381842ff43b1b4a22493808
  • Payment Link Service Example
Format before hash SHA-256
##ESPAYCOMMCODE##ORDER001-JKT-2020##200000.00## rwjfiwhrwrwhugdsdfyfyd##2020-08-08 09:17:45##P@ssw0rd!##
Format after hash SHA-256
b958d232cb4b5aad3ee37f44ebc89f149083cdd5f8ae100fa0d96776bcae718d

Try It!

You can enter data using the input provided. After that, you submit and see the results!

Request

Value

Response




Generate Signature for Settlement Notification

$rq_uuid      = "cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504";
$rq_datetime  = "2024-01-01 14:39:11";
$sender_id    = "GOWORLDPG";
$receiver_id  = "SGWYESSISHOP";

$raw_string = $rq_uuid . $rq_datetime . $sender_id . $receiver_id;

$md5_hash = md5($raw_string);
$final_signature = sha1($md5_hash);

echo $final_signature;


Generate Signature for Universal Service
Virtual Account (Send Invoice)

$signatureKey = 'cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504';
$rq_uuid      = 'rfbd39734-ed32-490d-98c4-e91bcd91037a';
$rq_datetime  = '2024-01-01 14:39:11';
$order_id     = 'ORDER001';
$amount       = '100000';
$ccy          = 'IDR';
$comm_code    = 'SGWYESSISHOP';
$action       = 'SENDINVOICE';
                                  
$raw_string = strtoupper("##{$signatureKey}##{$rq_uuid}##{$rq_datetime}##{$order_id}##{$amount}##{$ccy}##{$comm_code}##{$action}##");

$signature = hash('sha256', $raw_string);
         
echo "Raw String: " . $raw_string . PHP_EOL;
echo "Signature : " . $signature;


Generate Signature for Payment Link

$comm_code = 'SGWYESSISHOP';
$order_id  = 'ORDER001';
$amount    = '200000.00';
$key       = 'rwjfiwhrwrwhugdsdfyfyd';
$datetime  = '2020-08-08 09:17:45';
$password  = 'P@ssw0rd!';

$raw_string = ("##{$comm_code}##{$order_id}##{$amount}##{$key}##{$datetime}##{$password}##");

$signature = hash('sha256', $raw_string);

echo "Raw String : $raw_string\n";
echo "Signature  : $signature\n";



Generate Signature for Settlement Notification

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;

public class DualHashSignature {

    public static void main(String[] args) {
        String rq_uuid     = "cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504";
        String rq_datetime = "2024-01-01 14:39:11";
        String sender_id   = "GOWORLDPG";
        String receiver_id = "SGWYESSISHOP";

        // Gabungkan string seperti PHP
        String rawString = rq_uuid + rq_datetime + sender_id + receiver_id;

        try {
            // Step 1: MD5 hash
            String md5Hash = hashString(rawString, "MD5");

            // Step 2: SHA1 hash dari hasil MD5
            String finalSignature = hashString(md5Hash, "SHA-1");

            // Output hasil
            System.out.println("Raw String       : " + rawString);
            System.out.println("MD5 Hash         : " + md5Hash);
            System.out.println("Final Signature  : " + finalSignature);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static String hashString(String input, String algorithm) throws Exception {
        MessageDigest digest = MessageDigest.getInstance(algorithm);
        byte[] hashedBytes = digest.digest(input.getBytes(StandardCharsets.UTF_8));
        StringBuilder sb = new StringBuilder();
        for (byte b : hashedBytes) {
            sb.append(String.format("%02x", b));
        }
        return sb.toString();
    }
}


Generate Signature for Universal Service
Virtual Account (Send Invoice)

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;

public class UniversalSignatureGenerator {

    public static void main(String[] args) {
        String signatureKey = "cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504";
        String rq_uuid      = "rfbd39734-ed32-490d-98c4-e91bcd91037a";
        String rq_datetime  = "2024-01-01 14:39:11";
        String order_id     = "ORDER001";
        String amount       = "100000";
        String ccy          = "IDR";
        String comm_code    = "SGWYESSISHOP";
        String action       = "SENDINVOICE";

        // Buat raw string dan ubah ke uppercase
        String rawString = String.format("##%s##%s##%s##%s##%s##%s##%s##%s##",
                signatureKey, rq_uuid, rq_datetime, order_id, amount, ccy, comm_code, action
        ).toUpperCase();

        try {
          // Hash menggunakan SHA-256
            MessageDigest digest = MessageDigest.getInstance("SHA-256");
            byte[] hash = digest.digest(rawString.getBytes(StandardCharsets.UTF_8));

            // Konversi hasil hash ke hex string
            StringBuilder hexString = new StringBuilder();
            for (byte b : hash) {
                hexString.append(String.format("%02x", b));
            }

            // Output hasil
            System.out.println("Raw String: " + rawString);
            System.out.println("Signature : " + hexString.toString());

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}


Generate Signature for Payment Link

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;

public class SettlementSignatureExample {
    public static void main(String[] args) {
        String comm_code = "SGWYESSISHOP";
        String order_id  = "ORDER001";
        String amount    = "200000.00";
        String key       = "rwjfiwhrwrwhugdsdfyfyd";
        String datetime  = "2020-08-08 09:17:45";
        String password  = "P@ssw0rd!";

        // Buat raw string dan ubah ke upper
        String rawString = String.format("##%s##%s##%s##%s##%s##%s##",
                comm_code, order_id, amount, key, datetime, password
        );

        try {
            // Hash menggunakan SHA-256
            MessageDigest digest = MessageDigest.getInstance("SHA-256");
            byte[] hash = digest.digest(rawString.getBytes(StandardCharsets.UTF_8));

            // Konversi hasil hash ke hex string
            StringBuilder hexString = new StringBuilder();
            for (byte b : hash) {
                hexString.append(String.format("%02x", b));
            }

            // Output
            System.out.println("Raw String : " + rawString);
            System.out.println("Signature  : " + hexString.toString());

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}



Generate Signature for Settlement Notification

const crypto = require('crypto');

const rq_uuid     = "cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504";
const rq_datetime = "2024-01-01 14:39:11";
const sender_id   = "GOWORLDPG";
const receiver_id = "SGWYESSISHOP";

// Gabungkan raw string
const rawString = rq_uuid + rq_datetime + sender_id + receiver_id;

// Hash MD5
const md5Hash = crypto.createHash('md5').update(rawString).digest('hex');

// Hash SHA1 dari MD5
const finalSignature = crypto.createHash('sha1').update(md5Hash).digest('hex');

// Output
console.log("Raw String     :", rawString);
console.log("MD5 Hash       :", md5Hash);
console.log("Final Signature:", finalSignature);


Generate Signature for Universal Service
Virtual Account (Send Invoice)

const crypto = require('crypto');

const signatureKey = 'cc256d3a2d7687e6f4e1f4217c534bc6b18f66e3552aa9d312f5f4808130504';
const rq_uuid      = 'rfbd39734-ed32-490d-98c4-e91bcd91037a';
const rq_datetime  = '2024-01-01 14:39:11';
const order_id     = 'ORDER001';
const amount       = '100000';
const ccy          = 'IDR';
const comm_code    = 'SGWYESSISHOP';
const action       = 'SENDINVOICE';

// Gabungkan dan ubah ke UPPERCASE
const rawString = `##${signatureKey}##${rq_uuid}##${rq_datetime}##${order_id}##${amount}##${ccy}##${comm_code}##${action}##`.toUpperCase();

// Buat SHA-256 hash
const signature = crypto.createHash('sha256').update(rawString).digest('hex');

// Output
console.log("Raw String :", rawString);
console.log("Signature  :", signature);


Generate Signature for Payment Link

const crypto = require('crypto');

const comm_code = 'SGWYESSISHOP';
const order_id  = 'ORDER001';
const amount    = '200000.00';
const key       = 'rwjfiwhrwrwhugdsdfyfyd';
const datetime  = '2020-08-08 09:17:45';
const password  = 'P@ssw0rd!';

// Buat raw string seperti PHP
const rawString = `##${comm_code}##${order_id}##${amount}##${key}##${datetime}##${password}##`;

// Buat hash SHA256
const signature = crypto.createHash('sha256').update(rawString).digest('hex');

// Output
console.log("Raw String :", rawString);
console.log("Signature  :", signature);
Scroll to Top