Security

Last update: August 3, 2023

Exchange format

The exchange format of the API is JSON with UTF-8 encoding.

Exchange security

Exchanges are secured end to end via a tunnel encrypted by HTTPS in TLS 1.2 Protocol.

Partner authentication through API KEY

Any call to a Web service shall include, in the header of the request, a variable X-Oney-Authorization = 'API KEY' in order to ensure his identification by Oney. The API KEY is specific to the partner (merchant or PSP). The API Key is a data that allows:

Secure exchange between Oney and the partner system
Control authorizations to access the services of the Oney interface
Calibrate the number of queries per second (limit) that the partner may send to Oney

The API Key is generated and assigned by Oney to a partner.
The API Key is specific to an environment: A partner will have a specific API Key for the qualification environment and a specific one for production environment.

Note: Several merchants belonging to the same brand will all use the same API Key.

So, for a given environment, it is the same KEY used for all merchants (or shops) belonging to a common brand partner.
The API Key is sent by Oney by email within an encrypted file in a zip format, a password will be provided through the phone.

Global unique identifier (GUID)

Oney assign to each partner (PSP and merchant) a GUID to be able to manage their contract.
This GUID is present in all requests from partner to Oney. GUID is specific to an environment (like API KEY) and to a country