Rules
Currency Unit
The currency unit in Indonesia is the Rupiah, which is denoted with 2 decimal places, such as 10.25. The payment amount must not lower than the specified fee.
Transaction Amount Limit
| Payment Code | Minimum (IDR)/Transaction | Maximum (IDR)/Transaction |
|---|---|---|
| POS | 50,000.00 | 1,000,000.00 |
| DANABALANCE,OVOBALANCE,LINKAJABALANCE, SHOPEEBALANCE,GOPAYBALANCE | 10,000.00 | 20,000,000.00 |
| Indomaret | 10,000.00 | 5,000,000.00 |
| CreditCard,CreditCard_2DSecure,CreditCard_6Mos,CreditCard_12Mos | 10,000.00 | 100,000,000.00 |
| Indodana,Atome,Kredivo | 10,000.00 | 50,000,000.00 |
| Alfarmart | 10,000.00 | 2,000,000.00 |
| BNIVA,BNCVA,BTNVA,OCBCVA,SinarmasVA,MandiriVA, INAVA,PermataVA,MaybankVA,DanamonVA,BRIVA, BCAVA,MuamalatVA,BSIVA | 10,000.00 | 100,000,000.00 |
| CIMBVA | 15,000.00 | 100,000,000.00 |
| QRIS | 1,000.00 | 10,000,000.00 |
| StaticDanaSub, DynamicDanaSub | 10,000.00 | 50,000,000.00 |
| StaticCcSub, DynamicCcSub | 10,000.00 | 50,000,000.00 |
Data Signing Rules
1. Both Paylabs and Merchant each generate a pair of keys 2048 bits RSA (PKCS8 format). And both will exchanges public key (Not private key).
a. Merchant must send public key to Paylabs CS email (cs@paylabs.co.id)
b. Upon merchant activation, there will be an email sent to merchant containing public key from Paylabs.
2. Please do minify to the body request with the following rules:
Remove from the JSON format content all the symbols and space related characters such as \n,\r,\t , .
If the value of the field is null, then you don't have to include such fields in the creating signature process.
3. Prepare the strings:
stringContent: HTTPMethod:EndpointUrl:Lowercase(SHA256Hex(minify(body))):TimeStamp
HTTPMethod: POST
EndpointUrl: /payment/v2.3/va/create
TimeStamp: Request header's X-TIMESTAMP
4. Signing method:
X-SIGNATURE: Base64(SHA256withRSA(stringContent, privateKey))
Click to jump to:"Calculation Tool"
Data Signing Example
Example of generating RSA key pairs
# to generate RSA 2048 bits please check https://www.openssl.org/docs/man3.1/man1/genrsa.html
openssl genrsa -out rsakey.pem 2048 # generate 2048 bit RSA private key
# Convert to PKCS8 format (Format support Java) https://www.openssl.org/docs/man3.1/man1/openssl-pkcs8.html
# Generate private key (used by Merchant, never sent to anyone)
openssl pkcs8 -topk8 -nocrypt -inform PEM -in rsakey.pem -outform PEM -out private-key.pem
# generate public key to send to Paylabs
openssl rsa -inform PEM -in rsakey.pem -pubout -outform PEM -out public-key.pemPlease note that public key at the topmost and bottommost with text as following:
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----For example we have request as following:
# POST Request
POST ${ROOT_URL}/payment/v2.3/va/create
# HTTP Header
Content-Type: application/json;charset=utf-8
# HTTP Body
{
"merchantId":"0010001",
"merchantTradeNo":"100100011650868989065",
"requestId":"200100011650868989065",
"paymentType":"CreditCard",
"amount":"10000.00",
"productName":"Test",
"paymentParams":{
"redirectUrl": "http://google.com"
}
}Step 1: Minify the body request, and save to stringContent variable
minifyString = {"merchantId":"0010001","merchantTradeNo":"100100011650868989065","requestId":"200100011650868989065","paymentType":"CreditCard","amount":"10000.00","productName":"Test","paymentParams":{"redirectUrl":"https://google.com"}}Step 2: Combine these strings into stringContent:
stringContent = POST:/payment/v2.3/va/create:Lowercase(SHA256Hex(minifyString)):2022-09-16T16:58:47.964+07:00
Step 3: Merge the stringContent with the signKey. Next hash the string to get X-SIGNATURE
X-SIGNATURE = Base64(SHA256withRSA(stringContent, privateKey))
After getting signature string, put it into HTTP Header:
# POST Request
POST ${ROOT_URL}/payment/v2.3/va/create
# HTTP Header
Content-Type: application/json;charset=utf-8
X-TIMESTAMP: 2022-09-16T16:58:47.964+07:00
X-SIGNATURE: xxxxxxxxx
X-PARTNER-ID: 010001
X-REQUEST-ID: xxxxxxxxxxxxxxxxxxxxxxxx
# HTTP Body
{
"merchantId":"0010001",
"merchantTradeNo":"100100011650868989065",
"requestId":"200100011650868989065",
"paymentType":"CreditCard",
"amount":"10000.00",
"productName":"Test",
"paymentParams":{
"redirectUrl": "http://google.com"
}
}API Protocols & Standards
| Type | Explanation |
|---|---|
| Submission Method | Use POST method, Content-Type "application/json;charset=utf-8" |
| Data Format | Request and response in JSON format |
| Character Encoding | Use UTF-8 character encoding |
| Amount Format | Indonesia Rupiah with two decimals |
| Hash Method | SHA256withRSA |
| Signing Request | Verify signature is mandatory in both send request and receive response. Check Data Signing Rule for details. |
| Verification Steps | First determine the response's protocol, then the business response,and lastly the transaction status. |