Authentication

To ensure secure and reliable communication between your system and DANA's SNAP API, Bank Indonesia mandates the use of Asymmetric Signature Authentication. This method leverages cryptographic keys to verify the identity of the sender and protect data integrity during transactions.

Overview

In the asymmetric signature scheme:

• Private Key: Used by you (the merchant) to digitally sign API requests.
• Public Key: Shared with DANA to verify the authenticity of your requests.

By signing your request data with your private key, you provide a secure proof that the request originates from an authorized source. This process is critical to meeting the regulatory standards mandated by Bank Indonesia.

DANA Public Key

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnaKVGRbin4Wh4KN35OPh
ytJBjYTz7QZKSZjmHfiHxFmulfT87rta+IvGJ0rCBgg+1EtKk1hX8G5gPGJs1htJ
5jHa3/jCk9l+luzjnuT9UVlwJahvzmFw+IoDoM7hIPjsLtnIe04SgYo0tZBpEmkQ
vUGhmHPqYnUGSSMIpDLJDvbyr8gtwluja1SbRphgDCoYVXq+uUJ5HzPS049aaxTS
nfXh/qXuDoB9EzCrgppLDS2ubmk21+dr7WaO/3RFjnwx5ouv6w+iC1XOJKar3CTk
X6JV1OSST1C9sbPGzMHZ8AGB51BM0mok7davD/5irUk+f0C25OgzkwtxAt80dkDo
/QIDAQAB
-----END PUBLIC KEY-----

---

Obtaining Testing Credentials

1. Visit https://dashboard.dana.id/sandbox/
2. You will receive the following credentials:
   • URL API Sandbox
   • Merchant ID
   • Client ID known as X-PARTNER-ID
   • Client Secret
   • Public Key
   • Private Key

---

Obtaining Production Credentials

After successfully do the sandbox, the next process is going to production, you will need to generate your own keys for the production environment. You then submit your generated Public Key so DANA can verify your requests.

The following steps are used to generate the asymmetric key used in the signature process for Production environment.

Create Private Key PKCS#1

openssl genrsa -out private_key.pem 2048

Encode Private Key to PKCS#8

openssl pkcs8 -topk8 -in rsa_private_key.pem -out pkcs8_rsa_private_key.pem -nocrypt

Generate Public Key

openssl rsa -in rsa_private_key.pem -out rsa_public_key.pem -pubout

---

Using the Credential

You will receive two credentials: a Private Key and a Public Key.

The Private Key is used to authenticate and communicate securely with DANA. Keep this key confidential and do not share it. The Public Key must be shared with DANA by uploading it through the Merchant Portal during form submission. After successful submission, you will receive other credentials, including Merchant ID, Client ID (also known as X-PARTNER-ID), and Client Secret.

---

Asymmetric Digital Signatures (X-SIGNATURE)

Skip this step if you're using DANA Library , as it handles this automatically

SNAP APIs require a specific signature string to be generated for a field called X-SIGNATURE. This signature will be validated by DANA using your public key to confirm the authenticity of the request.

---

Required Data	Format Example
X-CLIENT-KEY Unique identifier for partner was generated by DANA, or known as clientId	82150823919040624621823174737537
X-TIMESTAMP Transaction date time, in format YYYY-MM-DDTHH:mm:ss+07:00 (GMT+7)	2022-11-30T09:45:35+07:00

The following steps are used to generate the asymmetric key used in the signature process for Production environment:

Step 1: Compose the string to sign

Compose the string like the following format:

Format for string to sign

<X-CLIENT-KEY> + “|“ + <X-TIMESTAMP>

Example of composed string

82150823919040624621823174737537|2020-12-18T15:06:00+07:00

Step 2: Result string to sign

Generate the signature by applying SHA-256 with RSA-2048 encryption (using PKCS#8 or PKCS#1 private key) to the string, then encode the result in Base64.

Example string to sign

laQUFqUd7k4NiL1ntrkyIRUSYA+Mhr2UEaDRHNt7dbySZ+FiBpf0CKyZNakgGZ1ypfTmAZuHiOzbQdpDfrmwE4TJ471Gv3Ly7VE4L0t3TRMz8p21Iczk0rNMINAvketkaRrFL6+xDH2q6YLdDv/R5vpDH5hmOyGiIIApfzcOxzUxIcumsku5HT+oyhCUsnCDCtmSUv0xah8ghPhrZzMYAzTnFDy/fJZaa2dYyhm+7HULfG6ErqDTI1tRkmPczDmm+ufPP17VKgXZCsSKXa6e3Zo6ob1MO6PIjm5Agj/TftaDtmEt9cFUT9djWzOKFrTp6OI3hcbphUwidGP81XRvtQ==

Step 3: Add the Signature to the HTTP Header “X-SIGNATURE“

Place the generated signature into your request header under the field X-SIGNATURE.

Example X-SIGNATURE

X-SIGNATURE: laQUFqUd7k4NiL1ntrkyIRUSYA+Mhr2UEaDRHNt7dbySZ+FiBpf0CKyZNakgGZ1ypfTmAZuHiOzbQdpDfrmwE4TJ471Gv3Ly7VE4L0t3TRMz8p21Iczk0rNMINAvketkaRrFL6+xDH2q6YLdDv/R5vpDH5hmOyGiIIApfzcOxzUxIcumsku5HT+oyhCUsnCDCtmSUv0xah8ghPhrZzMYAzTnFDy/fJZaa2dYyhm+7HULfG6ErqDTI1tRkmPczDmm+ufPP17VKgXZCsSKXa6e3Zo6ob1MO6PIjm5Agj/TftaDtmEt9cFUT9djWzOKFrTp6OI3hcbphUwidGP81XRvtQ==

---

Before generate the signature, prepare the required data:

Required Data	Format Example
HTTP METHOD Method on each API, for instance GET, POST, PUT, PATCH, and DELETE	POST
RELATIVE PATH URL URL on each API	/v1.0/balance-inquiry.htm
HTTP BODY Minify request body and hash the request body with SHA-256	e9295c3253c05560273ff305d9eea6abf77fff65229bf90b1781383c09c29d98
X-TIMESTAMP Transaction date time, in format YYYY-MM-DDTHH:mm:ss+07:00. Time must be in GMT+7 (Jakarta time)	2022-11-30T09:45:35+07:00

The following steps are used to generate the asymmetric key used in the signature process for Production environment:

Step 1: Minify the request body

Minify the request body like the following format:

Before Minify

{
  "partnerReferenceNo":"2020102900000000000001",
  "balanceTypes":["BALANCE"],
  "additionalInfo":{
    "accessToken" : "fa8sjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a"
  }
}

After Minify

{"partnerReferenceNo":"2020102900000000000001","balanceTypes":["BALANCE"],"additionalInfo":{"accessToken":"fa8sjjEj813Y9JGoqwOeOPWbnt4CUpvIJbU1mMU4a11MNDZ7Sg5u9a"}} 

Step 2: Lowercase(HexEncode(SHA-256(RequestBody)))

The following is an example of a Lowercase SHA-256 HexEncode of the request body, used to ensure content integrity during signature validation

Example Lowercase(HexEncode(SHA-256(RequestBody)))

e9295c3253c05560273ff305d9eea6abf77fff65229bf90b1781383c09c29d98

Step 3: Compose the string to sign

Compose the string like the following format:

Format string to sign

<HTTP METHOD> + ”:” + <RELATIVE PATH URL> + “:“ + LowerCase(HexEncode(SHA-256(Minify(<HTTP BODY>)))) + “:“ + <X-TIMESTAMP>

Example of composed string

POST:/v1.0/balance-inquiry.htm:e9295c3253c05560273ff305d9eea6abf77fff65229bf90b1781383c09c29d98:2022-11-30T09:45:35+07:00

Step 4: Result string to sign

Generate the signature by applying SHA-256 with RSA-2048 encryption (using PKCS#8 or PKCS#1 private key) to the string, then encode the result in Base64.

Example result

iSkd8HPpdeeQSnq5lSRM46l8w/C4ZhNq7ordOv2dfDC0A0rGWxqz+9j864gcuVhu0tgTHJUuV9k5wsluig/sJ4W5Yy1EZPzbpeeUwFxSK0WgnW5LLq/h5RQAgVEyJL5MI1KrByzBQIv+5IYgKaLFmTLeo4xy7ToLJKND/6Ja+HRuo+SpnzNA2NNJEcc+PI87pAo0yXItZhjUXhyz9rkv0P8Ra8tDar2asHVGxA5BiGthy/eyPbe9VYavfMrOKAZpISw9VVoZ1axHgqvLCVEPodIx45nWUqF96PUyIB2H51VZCTPaxeefpdKzgPR0Ji24zIeFhaowk7i2znPnNDINvA==

Step 5: Add the Signature to the HTTP Header “X-SIGNATURE“

Place the generated signature into your request header under the field X-SIGNATURE.

Example X-SIGNATURE

X-SIGNATURE: iSkd8HPpdeeQSnq5lSRM46l8w/C4ZhNq7ordOv2dfDC0A0rGWxqz+9j864gcuVhu0tgTHJUuV9k5wsluig/sJ4W5Yy1EZPzbpeeUwFxSK0

---

Validating Signatures

Skip this step if you're using DANA Library , as it handles this automatically

Here's a guideline for validating a digital signature in API requests. Follow these steps to ensure the authenticity and integrity of the request.

1. Get the Digital Signature

The digital signature is included in the HTTP header under the key X-SIGNATURE.

Example

X-SIGNATURE: iSkd8HPpdeeQSnq5lSRM46l8w/C4ZhNq7ordOv2dfDC0A0rGWxqz+9j864gcuVhu0tgTHJUuV9k5wsluig/sJ4W5Yy1EZPzbpeeUwFxSK0

2. Compose the String to Verify

Build the string that will be used to verify the digital signature:

Format

<HTTP METHOD> + ”:” + <RELATIVE PATH URL> + “:“ + LowerCase(HexEncode(SHA-256(Minify(<HTTP BODY>)))) + “:“ + <X-TIMESTAMP>

3. Verify the Signature

• Use SHA-256 hashing combined with RSA-2048 encryption to verify the signature.
• Compare the signature from the X-SIGNATURE header with the signature generated from the composed string using the public key of the API sender.

4. Consume the Request

• If the verification is successful (the signature matches), proceed with processing the request.
• If the verification fails, reject the request.

---

Code Example

Below are example codes that does all the authentication-related functions for each programming language:

Programming Language	Method	Sample Code
PHP	PKCS#1	https://www.jdoodle.com/ia/Zhc
Java	PKCS#8	https://www.jdoodle.com/ia/XEM
JavaScript	PKCS#8	https://www.jdoodle.com/ia/Zhj
Go	PKCS#1	https://www.jdoodle.com/ia/Zhx
Phyton	PKCS#1	https://ideone.com/WTe0Lw

Support

Need help? contact our Merchant Support Team or join our Discord server