1. Home
  2. Documentation
  3. Generate Signature

Generate Signature

Overview

To ensure the security and authenticity of your API requests, BobPlus Africa requires all sensitive requests to be signed using a digital signature. This prevents tampering and ensures that only you can initiate transactions from your account.

  • Purpose: Secure API requests and prevent unauthorized transactions.
  • Target Audience: All developers and businesses integrating with BobPlus Africa APIs.
Quickstart: Generating a Signature
  1. Generate a key pair: Create a private and public key. Share your public key with BobPlus Africa via the business portal.
  2. Prepare the data: Concatenate specific fields from your API request payload (see API docs for the correct order).
  3. Sign the data: Use your private key to sign the concatenated string using SHA-256.
  4. Base64 encode the signature: Add the signature to your API request header.
Step 1: Generate Your Key Pair
openssl genrsa -out privatekey.pem 2048 -nodes

This creates privatekey.pem in your directory.

Step 2: Export Your Public Key
openssl rsa -in privatekey.pem -outform PEM -pubout -out publickey.pem

Copy the contents of publickey.pem and upload to the BobPlus Africa business portal.

Step 3: Prepare the Data to Sign

Concatenate the required fields from your API request in the specified order. Example payload:

{
"wallet_no": "45594949",
"reference": "KXXXXXXXXX",
"acc_name": "John Doe",
"acc_no": "2547XXXXXXXX",
"currency": "KES",
"amount": 10,
"channel": 100000,
    "email": "johndoe@gmail.com",
"description": "order payment",
    "result_url": "https://webhook.site/947e8f48-c03a-4717-a2dd-8cdb2f64e897"
}

For this example, you might concatenate account and customer_code as: 2018709129392.

Step 4: Generate the Signature (PHP Example)
$plainText  = "100000KXXXXXXXXXKES10"; // Concatenated string
$privateKeyString = str_replace("\\n", "\n", env('PRIVATE_KEY'));
$privateKey = openssl_pkey_get_private($privateKeyString);
openssl_sign($plainText, $signature, $privateKey, OPENSSL_ALGO_SHA256);

Base64 encode the signature and add it to your request header:

CURLOPT_HTTPHEADER => array(
        "Authorization: Bearer " . $token,
        "cache-control: no-cache",
        "Content-Type: application/json",
        "signature: " . base64_encode($signature)
)
Security Best Practices
  • Keep your private key secure and never share it.
  • Rotate your keys regularly and update your public key in the portal.
  • Always use HTTPS for all API requests.
Support & Feedback

For help, contact support@bobplus.africa.
Feedback on this documentation? Let us know.

Terms of Use & Legal

By using this API, you agree to our Terms of Service and Privacy Policy. Do not share sensitive data or credentials.

V2.1.2