Get Started
To get started with the BONUSPAY API:
Last updated
To get started with the BONUSPAY API:
Last updated
Created an account at BonusPay merchant portal.
Created an API RSA key to authenticate calls and responses.
Created an Order to collect crypto from your customers.
You can visit http://www.bonuspay.network to create a merchant account for FREE.
You can register multiple staff for the merchant and set up different roles.
BonusPay will collect some information from you but we will approve all applications automatically right now.
BonusPay won't block or freeze the assets in your account.
Your API requests are authenticated using an RSA signature. Any request that doesn't include a signature will return an error.
You can generate or modify an API RSA KEY from the merchant portal at any time.
The merchant generates a key pair, the private key is stored by the merchant, and the public key should be uploaded to the BonusPay system. The merchant needs to sign the request with its own private key when the merchant sends a request to BonusPay, and BonusPay uses the merchant's public key to verify the signature. If the verification is passed, it proves that the request was sent by the merchant and not faked by others.
The merchant can directly generate a key pair on BonusPay's portal. The public key will be automatically saved in the BonusPay system and the private key can be downloaded. The merchant should save the private key carefully. If your private key is lost, please update the key in BonusPay in time. The merchant can also generate with other OpenSSL tools.
BonusPay Public Key
BonusPay generates a key pair for each merchant, the private key is saved by BonusPay and the public key is available on the portal for merchants to download. When BonusPay sends the response, BonusPay will use its own private key to sign the message, and the merchant uses BonusPay 's public key to verify the signature. If the verification is passed, it proves that the response was sent by BonusPay and not faked by others.
IP Whitelist
When the merchant calls the API, BonusPay only allows requests from the whitelist to go through. IP whitelist is required to set, otherwise, an error will be reported when API is called. One or more whitelist IPs can be set. If you want to allow any IP to pass through, you can fill in *.
The preferred signature algorithm is SHA256withRSA, an efficient asymmetric encryption method. This algorithm first calculates a unique hash of the input data using the SHA256 algorithm. The hash is then encrypted with a private key using the RSA algorithm.
When the merchant is ready to send the API request, they should sign the request message with the merchant's private key.
When encryption is needed per API requirement, the merchant should encrypt the message with BonusPay's public key so that BonusPay can decrypt it with the private key.
In order that all messages to be properly verified and decrypted, the request messages need to be encoded and decrypted using the same algorithm. Therefore, we require all requests to follow the following diagram when generating signatures.
Step 1: The entire request body should be processed as a signature.
Step 2: Use UTF-8 to encode the original message.
Step 3: Generate SHA256withRSA signature.
Step 4: Use Base64 to encode the signature generated in Step 3.
Step 5: Use the signature generated in Step 4 for all requests in the HTTP Header.
Sometimes it is necessary to encrypt the request payload or fields to prevent man-in-the-middle attacks. When encrypting, the encryption algorithm is chosen to encrypt with RSA using BonusPay's public key. Note that the encrypted field should not be too large, usually less than 200 bytes, in order to decrypt it in time.
applystatus = success and code = 0.When sending a request to BonusPay, the request content includes Http Header and Http Body. In most requests, the HTTP Header should be the same, as follows:
Content-Language String
The language in which the response message will be used, currently only English is supported.
Example value: en
Maximum length: 10
Content-Type String Required
The media type. Required for operations with a request body. The value is application/<format>, where format is json.
Example value: application/json
sign String Required
Requests should be signed using private-key cryptography. This allows the payment gateway to verify that an incoming request is really from your application.
Partner-Id String Required
The merchant id of your account.
Example value: 200001321321
Maximum length: 12
When BonusPay sends a response to you, the response content includes HTTP Header and HTTP Body. In most responses, the HTTP Header should be the same, as follows
sign String Required
When BonusPay sends a response, BonusPay will use its own private key to sign the message, and the merchant uses BonusPay 's public key to verify the signature. If the verification is passed, it proves that the response was sent by BonusPay and not faked by others.
When BonusPay sends a response to you, the response content includes HTTP Header and HTTP Body. The HTTP Body consists head and body. In most responses, the Body should be the same, as follows:
applyStatus Enum Required
The result of the request. The possible values are:
SUCCESS - Application successful.
FAIL - Application failed. Check the code and msg for the exact reason.
ERROR - Application error. The signature verification failed. Please check whether the private key used for the signature and the public key uploaded on the BonusPay portal is one key pair.
code String Required
Response Codes. View the Response code section to know all the possible results.
Example value: 0
msg String
Description of this code. View the Response code section to know all the possible results.
traceCode String
No special meaning, BonusPay internally used to locate the error.
JAVA SDK DOWNLOAD
Sign Test Tool
If you have successfully verified in the test environment and prepare to launch in live environment, follow the steps as you have done in the test environment.
Step1, Modify the API URL
Step2, Modify the RSA KEYs
Step3, Modify the partnerID
Step4, Modify the NotifyURL and RedirectURL
Step5, Test on the Prod environment
Response header format