PayPay uses a hashed value created from an API key, and an API key secret for API authentication
Please refer to the examples below, and the specification documentation to create a HMAC header.
HMAC authentication for POST API "create a code"
<API endpoint used>
/v2/codes
<Authentication information>
API key: sample_key
API secret: sample_secret
nonce: fedaa4
Epoc:1743138611
<Request content>
{
"merchantPaymentId": "TEST_QR_Payment",
"amount": {
"amount":10,
"currency": "JPY"
},
"codeType": "ORDER_QR",
"isAuthorization":false,
"redirectUrl":"https://about.paypay.ne.jp/",
"redirectType":"WEB_LINK"
}
<HMAC header created with the above information>
hmac OPA-Auth:sample_key:C2a7jD7OjL1DXnZhSYQfRI2Oxfdh43htV7pG8cwgCy4=:fedaa4:1743138611:T9wzkv1tUWIxzIHQUT7iDQ==
HMAC authentication for GET API "Get payment details"
<API endpoint used>
/v2/codes/payments/{merchantPaymentId}
<Authentication information>
API key: sample_key
API secret: sample_secret
nonce:a360e2
Epoc:1743139337
bodyHash: empty
content: empty
<Request content>
Empty
<merchantPaymentID used>
TEST_merchantPaymentID
<HMAC header created with the above information>
hmac OPA-Auth:sample_key:JbUZwAUKeQ+WDClEjkCGwYG/juFR+Dd5RK5AfL0gK9w=:a360e2:1743139337:empty
Please refer to the below for the detailed documents of the HMAC authentication.
https://internal.dev.paypay.ne.jp/opa-doc/jp/v1.0/api_authorization