Guides

Authentication

Suggest Edits

The authentication process in the Cortina API involves using the Start Session endpoint to send a pre-shared Token to the integrator, who will perform additional encryption steps to ensure secure communication between Nayax and the Integrator.

Authentication Process

Below is a step-by-step breakdown of the authentication process, with examples to help you understand each part.

  1. Before starting, Nayax and the Integrator agree on a shared Secret Token. This token is used for encryption and decryption. See the example token below: 
    mrV3U3nsgGFrE3w5-wnBo_WCLPce-pZ1awRvTVTkungMIKThTVbj_fiXdfoGclhn0
  2. Nayax sends the Start Session Request with the Token ID and 27 char Random String. For example: 
    123456789qwertyuioasdfghjkl
  3. The Integrator generates a Transaction ID of 36 Numeric Characters. For example: 
    123456789012345678901234567890123456
  4. The integrator prepares a Ciphertext by appending the Transaction ID and the received Random string with a “=” char separator to create a 64 char long ciphertext. For this example, it would be the following: 
    123456789012345678901234567890123456=123456789qwertyuioasdfghjkl
  5. The Integrator generates an encryption key from the last 32 characters of the Secret Token (this is a 256-bit key). 
    wRvTVTkungMIKThTVbj_fiXdfoGclhn0.
  6. Using AES encryption in ECB mode (with PKCS5 padding), the Integrator encrypts the Ciphertext. The encrypted result is then returned in the Start Session response to Nayax. In our example it would produce the following cipher: 
    a0Qnxm4fWMskzFXiMivn8BDiQVSL6be/NXIICC9HBoAiry6DUdKYPQh/YS1G8nObE6/0o9N4MFuYA7CTAxAnphuNJwBEjgBzKhhgpJ5ggnw=
  7. Nayax uses the same encryption key to decrypt the Ciphertext and validates that the Random String matches the one sent in the request and that the format is correct.
  8. Once the Transaction ID is decrypted, Nayax uses it for subsequent requests such as GenerateQR, Inquiry, Sale, and Authorization.

The Integrator must validate that the Transaction ID in requests like GenerateQR, Sale, Authorization, and Inquiry was created in a previous Start Session request and is still valid. It is recommended that the Transaction ID remain valid for no longer than 10 minutes for these requests.

🚧

Expired Requests

Requests like Settlement, Void, Cancel, and Refund can still be processed even after the Transaction ID has expired, as these might be required after the original.Authorization, Sale, or Inquiry request.

Updated 8 days ago