The host web app page and API calls will be protected using JWT authentication. This will ensure only validated users can access PSInet Store.
Request
Tokens are obtained by a post request to the JWT endpoint, passing in the following:
Root: <PSInetRequest>
<RCNumber>
<Password> - (Supplied by Payment Source) GUID Format
Response:
Root: <PSInetResponse>
<Token>
Tokens issued will only be valid for 24 hours.
Token signatures uses RS256 2048. See Environment section for public key
If an expired JWT is used, response code "8" will be returned.
The redirect to this web app will require the token to be added to the URL as a parameter.
If the token is not valid, PSInet store will return the Response Page with a System Error.
All API calls require the JWT to be added to the header as a bearer token.
Example: Authorization:"Bear " + JWT
If the token is not valid the call will return with a System Error.
To ensure the data passed into the host page has not been modified a hash signature is required.
The following fields are concatenated in listed order:
RC Number
Wicket Number
Clerk ID
Session ID
Shared Secret (Supplied by Payment Source) GUID Format
The fields are all concatenated together then a hash signature is created using SHA256.
This is then added as a parameter called Hash using hexadecimal.
If the Hash sent as part of the URL does not match the calculated the call will return with a System Error.