Eko APIs

Authentication

API Security Protocol

All API requests must be authenticated with a developer_key in the request. Your API keys carry many privileges, so be sure to keep them secret!

You authenticate to the Eko API by providing your API key in the header of each request.

How to generate developer_key?

Developer key will be shared after the following is done:

  1. Organization's KYC is completed on Eko's platform (visit https://connectalpha.eko.co.in/)
  2. Integration has been completed on UAT with signoff from Eko team
  3. For UAT, a dummy developer_key can be used from platform credentials section

Security 2.0

To ensure that compromise on one of the authentication i.e your developer_key never leads to any fraud, another solution has been provided which requires clients to send 2 more parameters for each API call:

  1. secret-key
  2. secret-key-timestamp

How to generate the secret-key?

  1. Encode key using base64 encoding technique

  2. Generate current timestamp (in milliseconds since UNIX epoch), i.e. secret-key-timestamp (Check currentmillis.com to understand the timestamp format)

  3. Compute the signature by hashing salt and base64 encoded key using Hash-based message authentication code HMAC and SHA256

  4. Encode the signature using base64 encoding technique and use this as secret-key

<?php

// Initializing key in some variable. You will receive this key from Eko via email
$key = "f74c50a1-f705-4634-9cda-30a477df91b7";

// Encode it using base64
$encodedKey = base64_encode($key);

// Get current timestamp in milliseconds since UNIX epoch as STRING
// Check out https://currentmillis.com to understand the timestamp format
$secret_key_timestamp = "".round(microtime(true) * 1000);

// Computes the signature by hashing the salt with the encoded key 
$signature = hash_hmac('SHA256', $secret_key_timestamp, $encodedKey, true);

// Encode it using base64
$secret_key = base64_encode($signature);

echo $secret_key;

?>
package com.smartkinda.util;

import org.apache.commons.codec.binary.Base64;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.InvalidKeyException;
import java.util.Date;

public class HmacSHA256 {
	public static final String HMAC_SHA256 = "HmacSHA256";

	public static void activateEKyc()	
	{
		try {

			String secret_key="",secret_key_timestamp="";
			// Initializing key in some variable. You will receive this key from Eko via email
			String key = "f74c50a1-f705-4634-9cda-30a477df91b7";
			String encodedKey = Base64.encodeBase64String(key.getBytes());
			// Encode it using base64

			// Get secret_key_timestamp: current timestamp in milliseconds since UNIX epoch as STRING
			// Check out https://currentmillis.com to understand the timestamp format
			Date date = new Date();
			secret_key_timestamp = Long.toString(date.getTime());

			// Computes the signature by hashing the salt with the encoded key 
			Mac sha256_HMAC;

			sha256_HMAC = Mac.getInstance(HMAC_SHA256);

			SecretKeySpec signature = new SecretKeySpec(encodedKey.getBytes(), HMAC_SHA256);
			try {
				sha256_HMAC.init(signature);
			} catch (InvalidKeyException e) {
				// TODO Auto-generated catch block
				e.printStackTrace();
			}

			// Encode it using base64 to get secret-key
			secret_key = Base64.encodeBase64String(sha256_HMAC.doFinal(secret_key_timestamp.getBytes())).trim();

			System.out.println("secret_key : "+secret_key);
			System.out.println("secret_key_timestamp : "+secret_key_timestamp);


		} catch (Exception e) {
			e.printStackTrace();
		}

	}
}
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Security.Cryptography;
using System.Text;
using System.Configuration;

namespace RechargePortal.Models
{
    public class SequrityKeys
    {
        public string secret_key { get; set; }
        public string secret_key_timestamp { get; set; }
    }

    public class Eko
    {
        public string Unique_Order_No { get; set; }
        public string Secrect_Key { get; set; }
        public string secretKeyTimestamp { get; set; }
        public string HashKey { get; set; }

        #region Get Security Key
        public static SequrityKeys GetSequrityKeys
        {
            get
            {
                SequrityKeys objSequrityKeys = new SequrityKeys();

                // call GenerateSequrityKeys static mathod
                objSequrityKeys = GenerateSequrityKeys();

                return objSequrityKeys;
            }
        }
        #endregion

        
        #region Generate Security Key
        private static SequrityKeys GenerateSequrityKeys()
        {
            SequrityKeys sequrityKey = new SequrityKeys();
            sequrityKey.secret_key = "";
            sequrityKey.secret_key_timestamp = "";

            try
            {
                string key = "f74c50a1-f705-4634-9cda-30a477df91b7"; // you can keep this in your configuration files
                var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(key);
                var encodedKey = System.Convert.ToBase64String(plainTextBytes);
                DateTime epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
                long dateTimeInMilliseconds = (long)(DateTime.UtcNow - epoch).TotalMilliseconds;
          sequrityKey.secret_key_timestamp = dateTimeInMilliseconds.ToString();

                sequrityKey.secret_key = CalcHMACSHA256Hash(dateTimeInMilliseconds.ToString(), encodedKey);

            }
            catch (Exception ex)
            {
                // Write Exception handling code here....   
            }


            return sequrityKey;
        }


        public static string GenerateHash(string message,string timespan)
        {
            SequrityKeys sequrityKey = new SequrityKeys();
            sequrityKey.secret_key = "";
            sequrityKey.secret_key_timestamp = "";
            string hash = "";
            try
            {
                string key = ConfigurationManager.AppSettings["SecretKey"];
                var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(key);
                var encodedKey = System.Convert.ToBase64String(plainTextBytes);
                hash= CalcHMACSHA256Hash(message, encodedKey);

            }
            catch (Exception ex)
            {
                // Write Exception handling code here....   
            }


            return hash;
        }
        #endregion

        #region Cal hash Mac Eko
        public static string CalcHMACSHA256Hash(string message, string secret)
        {
            try
            {
                secret = secret ?? "";
                var encoding = new System.Text.ASCIIEncoding();
                byte[] keyByte = encoding.GetBytes(secret);
                byte[] messageBytes = encoding.GetBytes(message);
                using (var hmacsha256 = new HMACSHA256(keyByte))
                {
                    byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
                    return Convert.ToBase64String(hashmessage);
                }
            }
            catch (Exception ex)
            {
                // write exception handling code here
                return "";
            }

        }

        #endregion

    }
}

 // CALLING METHOD :

Eko ek = new Models.Eko();

                ek.Unique_Order_No = Uniqurorderno.ToString();

                SequrityKeys ks = Eko.GetSequrityKeys;

                ek.Secrect_Key = ks.secret_key;

                ek.secretKeyTimestamp = ks.secret_key_timestamp;

 

                if (interactiontypeid == 221) // for money transfer

                {

                    string requsetHsh = ek.secretKeyTimestamp + bankMaster.CustomerID + bankMaster.recipientid + amount;

                    ek.HashKey = Eko.GenerateHash(requsetHsh, ek.secretKeyTimestamp);

                }

                else if (interactiontypeid == 149) // for bank addd

                {

                    string requsetHsh = ek.secretKeyTimestamp;

                    ek.HashKey = Eko.GenerateHash(requsetHsh, ek.secretKeyTimestamp);

                }

How to generate the request-hash ?

This is only for the API widget users.
Steps are mostly the same as above (for generating secret-key)

  1. Encode key using base64 encoding technique
  2. Use the same timestamp (secret-key-timestamp) that you generated in the previous step
  3. Generate the salt by attaching (concatenating) the important request parameter values to the secret-key-timestamp. The parameters and their order will be defined by us for each type of transaction:
    • For Money Transfer: secret-key-timestamp + customer_id + recipient_id + amount
  4. Compute the signature by hashing salt and base64 encoded key using Hash-based message authentication code HMAC and SHA256
  5. Encode the signature using base64 encoding technique and use this as request-hash

How will you get the key for generating secret-key & request-hash?

The key will be provided to you by Eko via email.

Sample key

key = f74c50a1-f705-4634-9cda-30a477df91b7

Note

If you are using .NET, you should not send overly specific time stamps, due to differing interpretations of how extra time precision should be dropped. To avoid overly specific time stamps, manually construct dateTime objects with no more than millisecond precision.

Important Note :

Only IP which is in India will be whitelisted while going on the production mode. IP which is present outside India will not be whitelisted.

Authentication


API Security Protocol

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.