Implementation
Security
To ensure security, Xsolla uses:
Note
API keys are generated by Xsolla and are unique for each provider.
Headers
Incoming requests from Xsolla contain the following headers:
| Header | Description | Required |
|---|---|---|
Request-Id | Unique request ID. | Yes. |
Content-Digest | Checksum values for the request body. | Yes if there is a request body. |
Signature-Input | Parameters used to generate the signature. | Yes. |
Signature | Request signature. | Yes. |
Prefer | Additional data, e.g., environment=“sandbox”. | No. |
Note
You must include the same headers in webhooks sent to Xsolla.
Incoming requests verification
When you receive requests from Xsolla:
- Extract the secret key that corresponds to the
keyidvalue from theSignature-Inputheader. - Validate the
created/expirestime window. - Retrieve the request body.
- Reconstruct the signature string according to
Signature-Inputand verify the signature using HMAC-SHA256.
Copy
- http
1sig1=("@method" "@target-uri" "content-digest" "request-id");alg="hmac-sha256";created=1700000000;expires=1700000600;keyid="acc_123"
- Use
Request-Idto search for the request in the logs.
Required functionality
For successful integration, you must implement at least the following API methods:
| Method | Path | Description |
|---|---|---|
| POST | /v1/payments | Creates payment. Returns the action object. |
| PATCH | /v1/payments/{transaction_id} | Confirms payment if action.type=confirm is returned. |
| GET | /v1/payments/{transaction_id} | Gets the current payment status. |
payment.succeeded— successful paymentpayment.failed— failed paymentpayment.refunded— refund
Note
Refer to the specification for detailed description of API methods and webhooks.
Was this article helpful?
Thank you for your feedback!
We’ll review your message and use it to help us improve your experience.Found a typo or other text error? Select the text and press Ctrl+Enter.
