Rules

Currency Unit

The currency unit in Indonesia is the Rupiah, which is denoted with 2 decimal places, such as 10.25. The payment amount must not lower than the specified fee.

Transaction Amount Limit

Payment CodeMinimum (IDR)/TransactionMaximum (IDR)/Transaction
POS50,000.001,000,000.00
DANABALANCE, OVOBALANCE, LINKAJABALANCE, SHOPEEBALANCE, GOPAYBALANCE10,000.0020,000,000.00
Indomaret10,000.005,000,000.00
CreditCard, CreditCard_2DSecure, CreditCard_6Mos, CreditCard_12Mos10,000.00100,000,000.00
Indodana, Atome, Kredivo10,000.0050,000,000.00
Alfarmart10,000.002,000,000.00
BNIVA, BNCVA, BTNVA, OCBCVA, SinarmasVA, MandiriVA, INAVA, PermataVA, MaybankVA, DanamonVA, BRIVA, BCAVA, MuamalatVA, BSIVA10,000.00100,000,000.00
CIMBVA15,000.00100,000,000.00
QRIS1,000.0010,000,000.00
StaticDanaSub, DynamicDanaSub10,000.0050,000,000.00
StaticCcSub, DynamicCcSub10,000.0050,000,000.00

Data Signing Rules

  1. Both Paylabs and Merchant each generate a pair of keys 2048 bits RSA (PKCS8 format). And both will exchanges public key (Not private key).

    a. Merchant must send public key to Paylabs CS email (cs@paylabs.co.id)

    b. Upon merchant activation, there will be an email sent to merchant containing public key from Paylabs.

  2. Please do minify to the body request with the following rules:

    Remove from the JSON format content all the symbols and space related characters such as \n,\r,\t, .

    If the value of the field is null, then you don't have to include such fields in the creating signature process.

  3. Prepare the strings:

    stringContent:

    HTTPMethod:EndpointUrl:Lowercase(SHA256Hex(minify(body))):TimeStamp

    Where: HTTPMethod: POST

    EndpointUrl: /payment/v2.3/va/create

    TimeStamp: Request header's X-TIMESTAMP

  4. Signing method:

    X-SIGNATURE: Base64(SHA256withRSA(stringContent, privateKey))

    Click to jump to: Calculation Tool

Data Signing Example

Example of generating RSA key pairs


# to generate RSA 2048 bits please check https://www.openssl.org/docs/man3.1/man1/genrsa.html

openssl genrsa -out rsakey.pem 2048 # generate 2048 bit RSA private key

# Convert to PKCS8 format (Format support Java) https://www.openssl.org/docs/man3.1/man1/openssl-pkcs8.html

# Generate private key (used by Merchant, never sent to anyone)

openssl pkcs8 -topk8 -nocrypt -inform PEM -in rsakey.pem -outform PEM -out private-key.pem

# generate public key to send to Paylabs

openssl rsa -inform PEM -in rsakey.pem -pubout -outform PEM -out public-key.pem

Please note that public key at the topmost and bottommost with text as following:

-----BEGIN PUBLIC KEY-----

-----END PUBLIC KEY-----

For example we have request as following:

# POST Request
POST ${ROOT_URL}/payment/v2.3/va/create

# HTTP Header
Content-Type: application/json;charset=utf-8

# HTTP Body
{
  "merchantId":"0010001",
  "merchantTradeNo":"100100011650868989065",
  "requestId":"200100011650868989065",
  "paymentType":"CreditCard",
  "amount":"10000.00",
  "productName":"Test",
  "paymentParams":{
    "redirectUrl": "http://google.com"
  }
}

Step 1: Minify the body request, and save to stringContent variable

minifyString = {"merchantId":"0010001","merchantTradeNo":"100100011650868989065","requestId":"200100011650868989065","paymentType":"CreditCard","amount":"10000.00","productName":"Test","paymentParams":{"redirectUrl":"https://google.com"}}

Step 2: Combine these strings into stringContent:

stringContent = POST:/payment/v2.3/va/create:Lowercase(SHA256Hex(minifyString)):2022-09-16T16:58:47.964+07:00

Step 3: Merge the stringContent with the signKey. Next hash the string to get X-SIGNATURE

X-SIGNATURE = Base64(SHA256withRSA(stringContent, privateKey))

After getting signature string, put it into HTTP Header:


# POST Request
POST ${ROOT_URL}/payment/v2.3/va/create

# HTTP Header
Content-Type: application/json;charset=utf-8
X-TIMESTAMP: 2022-09-16T16:58:47.964+07:00
X-SIGNATURE: xxxxxxxxx
X-PARTNER-ID: 010001
X-REQUEST-ID: xxxxxxxxxxxxxxxxxxxxxxxx

# HTTP Body
{
  "merchantId":"0010001",
  "merchantTradeNo":"100100011650868989065",
  "requestId":"200100011650868989065",
  "paymentType":"CreditCard",
  "amount":"10000.00",
  "productName":"Test",
  "paymentParams":{
      "redirectUrl": "http://google.com"
   }
}

API Protocols & Standards

TypeExplanation
Submission MethodUse POST method -> Content-Type "application/json;charset=utf-8"
Data FormatRequest and response in JSON format
Character EncodingUse UTF-8 character encoding
Amount FormatIndonesia Rupiah with two decimals
Hash MethodSHA256withRSA
Signing RequestVerify signature is mandatory in both send request and receive response. Check Data Signing Rule for details.
Verification StepsFirst determine the response's protocol, then the business response and lastly the transaction status.

Documentation Overview

Previous Page

Quick Start

Next Page

On this page

Currency Unit
Transaction Amount Limit
Data Signing Rules
Data Signing Example