Authentication & Authorization

Every request to the Checkout and Payment Admin API must be authenticated. This is done by passing the following HTTP headers to the API:

Timestamp

The timestamp should be the time in UTC when the message was sent. Use the format ”yyyy-MM-dd HH:mm:ss”.

Example: 2017-10-23 13:03:03

Authorization

This should be in the format “Svea {token}” where token is calculated using this formula:

base64(utf8({𝑐ℎ𝑒𝑐𝑘𝑜𝑢𝑡𝑚𝑒𝑟𝑐ℎ𝑎𝑛𝑡𝑖𝑑}:base64(lowercase(sha512(utf8({requestBody}{checkoutSecret}{timestamp}))))))

where:

• {checkoutmerchantid} is the merchant identifier assigned to you by Svea.
• {requestbody} is the body of the request (or an empty string for GET requests).
• {checkoutsecret} is the secret key assigned to your CheckoutMerchantId by Svea.
• {timestamp} is the same value as the timestamp header.

Example
Svea MTAwMDAxOjJEOEQ2QkQzRjNGMjYyRUM1NDcwRjhBNjUxRDk2NTIzRTI2M0NFNjEyQUI5MDkxREQzRUM1NkJBOURFRTMyNTUwNEUzM0FDOTM0NjhBMTlCREZDNjEwQjQ3QzE2RTQwMzk1MjIzMDE2QzQyRkFBN0UwNTFCQTAwQzg5RTcwRUEy

Token Generation Example Code

C#

Token Generation Example

public class Authentication
{
    public static void CreateAuthenticationToken(out string token, out string timestamp, string message = null)
    {
        const int merchantId = 123123;
        const string secretKey = "sharedSecret";
        message = message ?? string.Empty;
        timestamp = DateTime.UtcNow.ToString("yyyy-MM-dd HH:mm:ss", CultureInfo.InvariantCulture);

        using (var sha512 = SHA512.Create())
        {
            var hashBytes = sha512.ComputeHash(Encoding.UTF8.GetBytes(message + secretKey + timestamp));
            var hashString = BitConverter.ToString(hashBytes).Replace("-", string.Empty);
            token = string.Concat("Svea ", Convert.ToBase64String(Encoding.UTF8.GetBytes(merchantId + ":" + hashString)));
        }
    }
}

JavaScript

Token Generation Example

const crypto = require('crypto');

function createAuthenticationToken(message = '') {
    const merchantId = 123123;
    const secretKey = 'sharedSecret';
    const timestamp = new Date().toISOString().replace('T', ' ').split('.')[0]; // ISO Format
    
    const hash = crypto.createHash('sha512')
        .update(message + secretKey + timestamp, 'utf-8')
        .digest('hex')
        .toUpperCase();

    const token = Buffer.from(`${merchantId}:${hash}`).toString('base64');
    
    return { token, timestamp };
}

const { token, timestamp } = createAuthenticationToken('RequestBody');
console.log(token);
console.log(timestamp);

PHP

Token Generation Example

function createAuthenticationToken(&$token, &$timestamp, $message = null) {
    $merchantId = 123123;
    $secretKey = 'sharedSecret';
    $message = $message ?? '';
    $timestamp = gmdate('Y-m-d H:i:s');

    $hashString = strtoupper(hash('sha512', $message . $secretKey . $timestamp));
    $token = base64_encode($merchantId . ':' . $hashString);
}

$token = '';
$timestamp = '';
createAuthenticationToken($token, $timestamp, 'RequestBody');
echo $token . "\n";
echo $timestamp . "\n";