Signature Playground | PayLabs Docs

Signature Tools

Generate & Verify (RSA PKCS#8 + SHA-256)

Build the canonical string, sign with your private key, or verify using your public key. Keys stay in your browser.

How it works

Canonical format: METHOD:ENDPOINT:SHA256(minified JSON body):TIMESTAMP
ENDPOINT must start with “/”.
TIMESTAMP should be ISO 8601 with timezone, e.g. 2025-07-03T14:23:45+07:00.
Body is minified before hashing, so keep fields and types correct.

Steps

Fill method, endpoint, timestamp, and JSON body.
Paste your private key (PKCS#8 or RSA PKCS#1) to sign.
Click “Generate Signature (RSA)” to get Base64 for X-SIGNATURE.
Paste a signature + public key (SPKI or RSA PKCS#1) then “Verify Signature” to validate.
Optional: “Generate demo keypair” creates local RSA 2048 keys (not sent anywhere).

HTTP MethodEndpoint URL (start with “/”)Timestamp (ISO 8601 with timezone)

Request Body (JSON)

Uses minified JSON to compute SHA256(body)

{
  "requestId": "1234567890",
  "merchantId": "010001",
  "merchantTradeNo": "1234567890",
  "paymentType": "QRIS",
  "amount": "170000.00",
  "productName": "Test"
}

{
  "requestId": "1234567890",
  "merchantId": "010001",
  "merchantTradeNo": "1234567890",
  "paymentType": "QRIS",
  "amount": "170000.00",
  "productName": "Test"
}

Private Key (for sign)

PKCS#8 or PKCS#1

Public Key (for verify)

SPKI or RSA PKCS#1

Canonical preview

Invalid JSON body; cannot compute preview.

Signature (Base64)

(Generate to populate)

Verify signature

Paste Base64 signature to check

Keys and payloads stay in your browser; nothing is sent over the network. Do not paste production private keys on shared devices.