API
  1. API Reference
API
  • Guides
    • Welcome
    • Interface
  • API Reference
    • Introduction
    • Endpoints
    • Data Types
    • Signing
    • 3-D Secure Verification
    • Subscription
    • Errors
    • Webhooks
    • Items Information
    • Changelog
    • Acquiring
      • Create a direct payment
        POST
      • Create a APM payment
        POST
      • Create a redirect (iFrame) payment
        POST
      • Query a transaction
        POST
      • Refund a transaction
        POST
      • Search a refund transaction
        POST
      • Review a transaction
        POST
      • Cancel a transaction
        POST
      • Cancel a subscription
        POST
      • Capture a transaction
        POST
      • Create a payout
        POST
      • Optimise payment methods
        POST
    • Issuing
      • Cardholder
        • Create cardholder
          POST
        • Delete cardholder
          POST
        • Query cardholder
          POST
      • Group
        • Create group
        • Query group details
        • Cancel group
        • Refund group
        • Update group status
        • Recharge group
      • Card
        • Create a card
        • Query card BIN
        • Recharge card
        • Withdraw from a card
        • Cancel a card
        • Update card status
        • Update card limit
        • Query card details
  • Appendix
    • Test Cards
    • Bank Code
    • Country Code
    • Currency Code
    • Payment Methods
  1. API Reference

Signing

The request body (payload) must be signed to ensure the integrity and authenticity of the message. To generate a signature hash, Xnova provides each merchant with a Signature Key.
Every Merchant Account is assigned at least one Signature Key, which is used for signing API requests and receiving signed notifications from Xnova. Each Signature Key has a unique Key ID, and only one default Key ID can be active at a time for the Merchant Account. This allows Xnova to identify which key to use when sending notifications.
The Signature Key is uniquely generated and shared between the Merchant and Xnova. The signature itself is computed as a SHA256 (32-byte) hash and returned as a 64-character hexadecimal string.

Keys#

The Xnova API uses API keys for secure request encryption. To obtain your API key pairs, please reach out to your account manager.
Xnova provides separate API keys for test and live environments. Ensure you switch to the appropriate keys and endpoint URL when transitioning from the test environment to the live environment to avoid processing real transactions during testing.
All API requests must be sent over HTTPS, as calls made via HTTP will fail. Additionally, any API requests lacking proper encryption (using SHA256) will be rejected.
Keep Sign Key confidential!
Since your API keys provide extensive access, it’s crucial to keep them safe! Never share your secret API keys in publicly accessible locations like GitHub, client-side code, or similar areas.

How to encrypt#

JAVA
PHP
$encryption_data=sha256(merchant_id+account_id+order_no+currency+amount+first_name+
last_name+card+expiration_year+expiration_month+security_code+shopper_email+sign_key);
APM:
$encryption_data=sha256(merchant_id+account_id+order_no+currency+amount+
first_name+last_name+shopper_email+sign_key);
Alternatively, you can use this online tool to generate encryption data for testing purposes
https://tools.keycdn.com/sha256-online-generator
image.png
SHA256 Generator Example
Modified at 2025-05-20 07:37:21
Previous
Data Types
Next
3-D Secure Verification