When exchanging data, the parameter naming convention applies: the names of all the parameters that relate to the Paybox.money and store interaction have the prefix pg_, all other parameters do not have it.
When specifying any amount of money, a point is used to separate the fractional part. If a number is integer, then the indication of the fractional part is optional. The number of characters after the point is not more than two. Thousands are not separated by any signs.
Any messages (requests and responses) between Paybox.money and the store are to be signed. A signature is generated by concatenating with a separator ';':
1. The name of the called script (from the last '/' to the end or '?')
2. All fields of the message in alphabetical order, including a random string pg_salt, consisting of an arbitrary number of digits and Latin letters, wherein:
- a. to nested tags, this rule is applied recursively (only XML)
- b. fields with the same name are taken in the order in which they appear in the message
3. And the payment password secret_key, which is set in the settings of the store and is known only to the store and PayBox.money.
From the resultant string concatenation, it is necessary to compute md5 and add to the request or response as an additional parameter pg_sig. MD5 hash is written as a hexadecimal string in lower case (32 characters).
Sample call: http://domain.com/path/to/script.php
<?xml version="1.0" encoding="utf-8"?> <request> <pg_salt>9imM909TH820jwk387</pg_salt> <pg_t_param>value3</pg_t_param> <pg_a_param>value1</pg_a_param> <pg_z_param> <pg_q_subparam>subvalue2</pg_q_subparam> <pg_m_subparam>subvalue1</pg_m_subparam> </pg_z_param> <pg_b_param>value2</pg_b_param> <pg_sig>74aa41a4f425d124a23c3a53a3140bdc15826</pg_sig> </request>
In the above example, pg_sig is calculated by the formula:
- pg_sig = md5(‘script.php’ + ‘;’+ pg_a_param + ‘;’ + pg_b_param + ‘;’ + pg_salt + ‘;’+ pg_t_param + ‘;’ + pg_m_subparam + ‘;’+ pg_q_subparam + ‘;’+ secret_key);
Which unfolds into:
- pg_sig = md5('script.php;value1;value2;9imM909TH820jwk387;value3;subvalue1;subvalue2;mypasskey');
if the settings specified that
secret_key is equal to
Any party can add additional parameters to the request or response that are not specified in the documentation. These parameters also participate in the calculation of the signature.
The message is not signed, and accordingly the
pg_sig fields are missing only in one case - when PayBox was unable to identify the merchant and therefore does not know his
secret_key. In this case, the
pg_error_code field (numeric error code) is set to 101. For a complete list of possible values for the
pg_error_code field, see the Error Code Reference.
To debug the formation of signatures, it is recommended to use the page in your personal account https://api.paybox.money/admin/sig_debug_helper.php