APIDOCS Oauth SNAP BI (Internal version v1.1)

Create API
Simplify Your Business with BRIAPI

Watch the video and see how BRIAPI can make your business more efficient with SNAP API services.

 

Access Token and Signature

API Information

Title Oauth SNAP BI
Version v1.0
URL Sandbox https://sandbox.partner.api.bri.co.id
URL Production  

Version Control

API Version Date Link to document Description
v1.0 2 December 2021 this pages Baseline version.

v1.0

18 April 2022

this pages

Update Field Format
v1.0 29 Agustus 2022 this pages Update Url path

Product Description

Product Overview

Private Key & Public Key

This feature is used to get an access token that functions as authentication when you want to access other APIs. In this feature there are private_key and public_key which are generated by partners using the RSA 2048 format.

The private_key is stored on the partner side and the public_key is added via the BRI portal developer in the "Manage Snap Key" menu. the private_key value sent by the partner will be validated with the previously related public_key. The private_key itself is used by partners to generate X-SIGNATURE when they want to get tokens, and public_key is used by BRI to validate the X-SIGNATURE value sent by partners when getting tokens.

Endpoint

A. Get Token

Endpoint Description

This feature is used to get an access token that functions as authentication when you want to access other API. This Get Token can be accessed at least every 10 or up to 15 minutes to get the access token . partners are not advised to get tokens every time they  access endpoints on each product service.

General Information

HTTP Method POST
Path /snap/v1.0/access-token/b2b
Tipe Format JSON
Authentication Digital Signature

Header Structure

Key

Value

Format

Mandatory

Length

Deskripsi

Example

X-SIGNATURE

 

 

M

 

With asymmetric signature algoritm SHA256withRSA

(Private_Key, stringToSign). stringToSign = client_ID + “|” + X-TIMESTAMP

 

X-CLIENT-KEY

 

Alphanumeric

M

 

Client's client_id (PJP Name) (given at completion registration process )

 

X-TIMESTAMP

 

Datetime

M

 

Client's current local time in yyyy-MM- ddTHH:mm:ss.SSSTZD format

 

Content-Type

application

/json

 

M

 

 

 

Request Structure

Field

Data Type

Format

Mandatory

Length

Deskripsi

Example

grantType

String

Alphabet

M

 

client_credentials : The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control (OAuth 2.0: RFC 6749 & 6750)

client_credentials

Response Structure

Field

Data Type

Format

Mandatory

Length

Deskripsi

Example

responseCode

String

Numeric

C

 

responseCode

 

responseMessage

String

Alphabet

C

 

Respon deskripsi

 

accessToken

String

Alphanumeric

M

 

The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes) Token Type Value: Authentication Code (MAC) key together with the access token that is used to sign certain components of the HTTP requests

 

Referensi: OAuth2.0 RFC 6749 & 6750

 

tokenType

String

Alphabet

M

 

 

 

expiresIn

String

Alphanumeric

M

 

Session expiry in seconds: 900 (15 minutes)

 

Request & Response Payload Sample

Request :

    {
        "grantType": "client_credentials"
    }

Normal Response :

{
    "accessToken": "jwy7GgloLqfqbZ9OnxGxmYOuGu85",
    "tokenType": "BearerToken",
    "expiresIn": "899"
}

Error Response :

{
    "responseCode": "4007301",
    "responseMessage": "Invalid Field Format"
}

List of Error/Response Code

HTTP Status Code Status Response Description Description
200 - Success -  
400 4007300 Failed Bad Request  
400 4007301 Failed Invalid Field Format  
401 4017300 Failed Unauthorized Client  
401 4017300 Failed Unauthorized stringToSign  
401 4017300 Failed Unauthorized Signature  
401 4017301 Failed Invalid Token (B2B)  
500 500000 Failed General Error  
Any error response not listed in the BRIAPI response list is considered pending and requires further investigation.

B. Signature API Access

Signature Signature ensures the reliability and anti-repudiation of data transmission. Signature is generated by the service requestor, and verified by the service recipient.

Signature The signature is formed by the specified payload. The payload data will be signed with the SHA256-HMAC algorithm using your clientSecret as a key.

Payload

Payload consists of path, verb, token, timestamp, and body. Format Symetric-Signature:

HMAC_SHA512 (clientSecret, stringToSign) dengan formula stringToSign = HTTPMethod+”:“+ EndpointUrl +":"+ AccessToken+":“

+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ +TimeStamp Examp;e payload:

example payload:

POST:/snap/v1.0/dummy:muhpwhwOkPRU9nNXYnyYHj8t54x3:8b4e9e83b5231cff4f84358ec8ca81951cfe9f999f635b1566452a501d5c23b2:2021-11-29T09:22:18.172+07:00

Details of each element inside the payload are explained below::

1. Path

The value for path is the URL after the hostname and port without the query parameters.

Example:

/snap/v1.0/dummy

2. Verb

HTTP method in uppercase, i.e. GET, POST, PUT, PATCH, and DELETE.

3. Token

The token used is taken from the Authorization header.

Example:

Bearer R04XSUbnm1GXNmDiXx9ysWMpFWBr

4. Timestamp

>Timestamp at the moment you call the API. The timestamp format must follow ISO8601 format (yyyy-MM-ddTHH:mm:ss.SSSZ). It has to be in the zero UTC offset.

Example:

2021-11-02T13:14:15.678+07:00

Timestamp must be in UTC or GMT +0 timezone.

5. Body

Request body sent for the API call. Lowercase(HexEncode(SHA-256(minify(RequestBody))))

Example: {"hello":"world"}

SHA256 Result : 93a23971a914e5eacbf0a8d25154cda309c3c1c72fbb9914d47c60f3cb681588

If there is no body of the request, for example using the GET method, just leave it blank.