Get Token
Here is the overview of how to get token with Virtual Account :
Get Token
Get Access Token is an authentication method to ensure confidentiality, system and data integrity, availability of a system, and as a fraud detection method. It is a mandatory process that is regulated and set mandatory by Bank Indonesia.
Before starting any transaction process involving virtual account, one party need to do get access token activity before hitting the API to the other (e.g merchant want to hit create VA API to DOKU, then merchant need to hit the get access token API and granted the access token. The type of access token that is used in virtual account is B2B.
In the header request, there is an object called X-SIGNATURE that needs encryption of combination signature, to learn more about the usage, you can check here
API Endpoint
To get access token, you need to hit this API endpoint
| Type | Value |
|---|---|
| Service Code | 73 |
| HTTP Method | POST |
| Path | /authorization/v1/access-token/b2b |
Here is the sample of request header to get token:
X-SIGNATURE: Pxlv2IIUVdlzdUnbSQqug8YeghmKXJ7Rw5P4xBOOB/tC457UsoZXkO4S1R3oszVcjZDSh38+==
X-TIMESTAMP: 2022-10-07T14:18:39+07:00
X-CLIENT-KEY: MCH-0008-1296507211683
Content-Type: application/json
Request Header Explanation
| Parameter | Data Type | Type | Description |
|---|---|---|---|
| X-SIGNATURE | string | Mandatory | Non-Repudiation & Integrity checking X-Signature : with asymmetric signature algorithm SHA256withRSA (Private_Key, stringToSign).stringToSign = client_ID + “:” + X- TIMESTAMP |
| X-TIMESTAMP | string | Mandatory | Timestamp request on UTC time in ISO8601 UTC+0 format. It means to proceed transaction on UTC+7 (WIB), merchant need to subtract time with 7. Ex: to proceed transaction on September 22th 2020 at 08:51:00 WIB, the timestamp should be 2020-09-22T01:51:00Z |
| X-CLIENT-KEY | string | Mandatory | Client’s client_id (PJP Name) (given at completion registration process) Merchant to DOKU : client_id merchant. DOKU to Acquirer : client_key given by acquirer. Acquirer to DOKU : client_key given by DOKU |
| content-type | string | Mandatory | String represents indicate the media type of the resource (e.g. application/json, application/pdf) |
Here is the sample of request body to get token :
{
"grantType":"client_credentials",
"additionalInfo":""
}
Request Body Explanation
| Parameter | Type | Mandatory | Description |
|---|---|---|---|
grantType | string | Mandatory | “client_credentials” : The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control (OAuth 2.0: RFC 6749 & 6750) |
additionalInfo | object | Optional | Additional Information |
API Response
After hitting the above API request, DOKU will give the response.
| Type | Value |
|---|---|
| HTTP Status | 200 |
| Result | SUCCESS |
X-CLIENT-KEY: "MCH-0008-1296507211683",
X-TIMESTAMP: "2022-10-07T14:26:50+07:00"
Response Header Explanation
| Parameter | Data Type | Type | Description |
|---|---|---|---|
| X-TIMESTAMP | string | Mandatory | Client's current local time in YYYY-MM-DDTHH:mm:ssZ format |
| X-CLIENT-KEY | string | Mandatory | Client’s client_id (PJP Name) (given at completion registration process) Merchant to DOKU : client_id merchant. DOKU to Acquirer : client_key given by acquirer. Acquirer to DOKU : client_key given by DOKU |
Here is the sample of response body:
{
"responseCode": "2007300",
"responseMessage": "Successful",
"accessToken": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2NjUxMjc3OTEsIm5iZiI6MTY2NTEyNjg5MSwiaXNzIjoiRE9LVSIsImlhdCI6",
"tokenType": "Bearer",
"expiresIn": 900,
"additionalInfo": ""
}
Response Body Explanation
| Parameter | Data Type | Type | Description |
|---|---|---|---|
responseCode | string(6) | Mandatory | Response Code : HTTP status code + service code + case code |
responseMessage. | string | Mandatory | Response Description' |
accessToken | string(2048) | Mandatory | A string representing an authorization issued to the client that used to access protected resources. |
tokenType | string | Mandatory | The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes). Token Type Value: “Bearer”: includes the access token. string in the request “Mac”: issuing a Message. Authentication Code (MAC) key together with the access token that is used to sign certain components of the HTTP requests. Reference: OAuth2.0 RFC 6749 & 6750 |
expiresIn | string | Mandatory | Session expiry in seconds : 900 (15 minute ) |
additionalInfo | string | Optional | Additional Information |
Error Response Message
For several error cases, the response appear would be like below :
X-CLIENT- KEY not authorized
{
"responseCode": "4017300",
"responseMessage": "Unauthorized. Unknown Client"
}
X-TIMESTAMP format not valid
{
"responseCode": "4007301",
"responseMessage": "Invalid Field Format X-TIMESTAMP"
}
Signature not valid
{
"responseCode": "4017300",
"responseMessage": "Unauthorized. Signature"
}
Pro Tips
You can also learn about generatin signature here https://apidevportal.bi.go.id/snap/api-services/keamanan