Security
Last update: August 3, 2023
Exchange format
The exchange format of the API is JSON with UTF-8 encoding.
Exchange security
Exchanges are secured end to end via a tunnel encrypted by HTTPS in TLS 1.2 Protocol.
Partner authentication through API KEY
Any call to a Web service shall include, in the header of the request, a variable X-Oney-Authorization = 'API KEY' in order to ensure his identification by Oney. The API KEY is specific to the partner (merchant or PSP). The API Key is a data that allows:
- Secure exchange between Oney and the partner system
- Control authorizations to access the services of the Oney interface
- Calibrate the number of queries per second (limit) that the partner may send to Oney
The API Key is generated and assigned by Oney to a partner.
The API Key is specific to an environment: A partner will have a specific API Key for the qualification environment and a specific one for production environment.
Note: Several merchants belonging to the same brand will all use the same API Key.
So, for a given environment, it is the same KEY used for all merchants (or shops) belonging to a common brand partner.
The API Key is sent by Oney by email within an encrypted file in a zip format, a password will be provided through the phone.
Global unique identifier (GUID)
Oney assign to each partner (PSP and merchant) a GUID to be able to manage their contract.
This GUID is present in all requests from partner to Oney. GUID is specific to an environment (like API KEY) and to a country