Implementation
After signing the agreement, you will get access to the technical integration step. The duration of this step depends on the complexity of the integration.
Security
To ensure security, Xsolla uses:
Headers
Incoming requests from Xsolla contain the following headers:
| Header | Description | Required |
|---|---|---|
Request-Id | Unique request ID. | Yes. |
Content-Digest | Checksum values for the request body. | Yes if there is a request body. |
Signature-Input | Parameters used to generate the signature. | Yes. |
Signature | Request signature. | Yes. |
Prefer | Additional data, e.g., environment="sandbox". | No. |
Incoming requests verification
When you receive requests from Xsolla:
Extract the secret key that corresponds to the
keyidvalue from theSignature-Inputheader.Validate the
created/expirestime window.Retrieve the request body.
Reconstruct the signature string according to
Signature-Inputand verify the signature using HMAC-SHA256.
Example:
- http
1sig1=("@method" "@target-uri" "content-digest" "request-id");alg="hmac-sha256";created=1700000000;expires=1700000600;keyid="acc_123"
- Use
Request-Idto search for the request in the logs.
Required functionality
For successful integration, you must implement at least the following API methods:
| Method | Path | Description |
|---|---|---|
| POST | /v1/payments | Creates payment. Returns the action object. |
| PATCH | /v1/payments/{transaction_id} | Confirms payment if action.type=confirm is returned. |
| GET | /v1/payments/{transaction_id} | Gets the current payment status. |
You also need to configure sending webhooks to Xsolla to notify about the payment events:
payment.succeeded— successful paymentpayment.failed— failed paymentpayment.refunded— refund
Found a typo or other text error? Select the text and press Ctrl+Enter.