API Reference Checksum

Security: Checksum

The CreditSwitch REST API uses an authentication scheme based on the Bcrypt hashing algorithm. Each merchant is assigned a unique public–private key pair . To authenticate a request, specific elements — including the merchant’s private key — are concatenated to form a single string.

This string is then hashed using Bcrypt , and the resulting hash is Base64-encoded . When the API receives the request, it retrieves the merchant’s secret key and performs the same hashing procedure.
✅ If the resulting checksum matches the one provided in the request, the API considers it authenticated and proceeds.
❌ If not, the request is rejected with an error response.

The example below illustrates how to generate the request checksum 📝. Note: The output of the Bcrypt hash is always a string. 

ConcatString = loginId + "|" + requestId + "|" + serviceId + "|" + requestAmount + "|"
+ privateKey + "|" + recipient;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + serviceId + "|" + privateKey + "|" + customerAccountId;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + serviceId + "|" + privateKey + "|" + customerAccountId + "|"
+ requestId + "|" + amount;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + privateKey;
Checksum = Base64(Bcyrpt(ConcatString));
                            
loginId + "|" + privateKey + "|" + msisdn+ "|" + amount;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + privateKey + "|" + transactionRef;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + privateKey + "|" + smartCardCode;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + privateKey + "|" + smartCardCode + "|" + fee;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + privateKey + "|" + customerNo;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + privateKey + "|" + customerNo + "|" + transactionRef + "|"
+ amount;
Checksum = Base64(Bcyrpt(ConcatString));
                            
ConcatString = loginId + "|" + serviceId + "|" + privateKey + "|" + requestId + "|" + amount;
Checksum = Base64(Bcyrpt(ConcatString));

Security: Generation Snippets

Sample checksum generation snippets in some selected languages. These snippets are only meant to serve as a guide. 

public function getChecksumAirtimeData(){

    $loginId = "1234";

    $requestId = "112345";

    $serviceId = "A04E";

    $requestAmount = "100";

    $privateKey = "78858c42aff6b2210a2fdc637f6ebe39d53c38da95633d27f52fddeace60149162";

    $recipient = "08030001111";

    $concatString = $loginId ."|". $requestId."|". $serviceId."|".$requestAmount."|".$privateKey."|". $recipient;

    $checksum = base64_encode(password_hash($concatString, PASSWORD_DEFAULT) ); //PASSWORD_BCRYPT

    return $checksum;

}
public function getChecksumMertDetail(){

    $loginId = "1234";

    $privateKey = "78858c42aff6b2210a2fdc637f6ebe39d53c38da95633d27f52fddeace60149162";

    $concatString = $loginId ."|".$privateKey;

    $checksum = base64_encode(password_hash($concatString, PASSWORD_DEFAULT) ); //PASSWORD_BCRYPT

    return $checksum;
}
                            
import bcrypt
def getChecksumAirtimeData():
    loginId = "1234"
    requestId = "112345"
    serviceId = "A04E"
    requestAmount = "100"
    privateKey = "78858c42aff6b2210a2fdc637f6ebe39d53c38da95633d27f52fddeace60149162"
    recipient = "08030001111"
    concatString = loginId +"|"+requestId+"|"+serviceId+"|"+requestAmount+"|"+privateKey+"|"+recipient;
    checksum = base64.urlsafe_b64encode(bcrypt.hashpw(concatString, bcrypt.gensalt()))
    return checksum


def getChecksumMertDetail():
    loginId = "1234"
    privateKey = "78858c42aff6b2210a2fdc637f6ebe39d53c38da95633d27f52fddeace60149162"

    concatString = loginId+"|"+privateKey

     checksum = base64.urlsafe_b64encode(bcrypt.hashpw(concatString, bcrypt.gensalt()))
    return checksum
                            
static String getChecksumAirtimeData(){
    String loginId = "1234";
    String requestId = "112345";
    String serviceId = "A04E";
    int requestAmount = 100;

    String privateKey = "78858c42aff6b2210a2fdc637f6ebe39d53c38da95633d27f52fddeace60149162";
    String recipient = "08030001111";
    String concatString = ""+loginId +"|"+requestId+"|"+serviceId+"|"+requestAmount+"|"+privateKey+"|"+recipient+"";
    byte[] message = Bcrypt.hashpw(concatString,Bcrypt.gensalt()).getBytes(StandardCharsets.UTF_8);
    String checksum = Base64.getEncoder().encodeToString(message);
    String checksum = Base64.getEncoder().encodeToString(message);
    return checksum;

}
static String getChecksumMertDetail(){
    String loginId = "1234";
    String privateKey = "78858c42aff6b2210a2fdc637f6ebe39d53c38da95633d27f52fddeace60149162";
    String concatString = ""+loginId+"|"+privateKey;
    byte[] message = Bcrypt.hashpw(concatString,Bcrypt.gensalt()).getBytes(StandardCharsets.UTF_8);
    String checksum = Base64.getEncoder().encodeToString(message);
    return checksum;
 }
                            
public string getCheckSum() {
    string loginId = "1234";
    string requestId = "bchsbhhbfdsbsdbh";
    string serviceId = "A04E";
    string amount = "100";
    string privatekey = "XY1t9Y159hWJaETD";
    string recipient = "07027829028";
    var concatText = loginId + "|" + requestId + "|" + serviceId + "|" + amount + "|" + privatekey + "|" + recipient;
    string salt = BCryptHelper.GenerateSalt();
    var hashedText = BCryptHelper.HashPassword(concatText, salt);
    return checkSum = Convert.ToBase64String(Encoding.UTF8.GetBytes(hashedText));
}