1. Home
  2. Documentation
  3. Generate X-Hash

Generate X-Hash

Overview

The X-Hash header is used to provide an additional layer of security for your API requests. It is a digital signature generated using your private key and is verified by BobPlus Africa using your public key. This ensures authenticity and integrity of your requests.

  • Purpose: Secure API requests and prevent tampering or impersonation.
  • Target Audience: All developers and businesses integrating with BobPlus Africa APIs.
Quickstart: Generating X-Hash
  1. Generate your RSA key pair: See the key generation guide for instructions.
  2. Sign the data: Use your private key to sign your businessId or the agreed payload.
  3. Base64 encode the signature: Add the result as the X-Hash header in your API request.
Step 1: Generate Your RSA Keys

First, create your RSA public and private keys. See the key generation guide for instructions.

Step 2: Sign the Request with Your Private Key
// Load your business ID and private key
$businessId        = "XXXXXXXXXXXXX"; // Found on your merchant portal
$privateKeyString  = str_replace("\\n", "\n", env('PRIVATE_KEY'));
$privateKey        = openssl_pkey_get_private($privateKeyString);

// Data to sign (e.g., businessId or payload)
$dataToSign        = $businessId;

// Generate the signature
openssl_sign($dataToSign, $signature, $privateKey, OPENSSL_ALGO_SHA256);

// Encode the signature to base64 for use in headers
$xHash             = base64_encode($signature);

The signed value ($xHash) should now be added to your request headers.

Step 3: Send the Request with Token and X-Hash
$token       = "XXXXXXXXXXXXXXXXX";
$data_string = json_encode([
    "wallet_no" => "129392",
    "amount"    => "2000",
    // ...
]);

$curl = curl_init();

curl_setopt_array($curl, [
    CURLOPT_URL            => "https://base-url-here/api/v2/payment/",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING       => "",
    CURLOPT_MAXREDIRS      => 10,
    CURLOPT_TIMEOUT        => 30,
    CURLOPT_HTTP_VERSION   => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST  => "POST",
    CURLOPT_POSTFIELDS     => $data_string,
    CURLOPT_HTTPHEADER     => [
        "Authorization: Bearer {$token}",
        "Content-Type: application/json",
        "cache-control: no-cache",
        "signature: XXXXXXXXXXXXXXXXXXXX", // Refer to the generate signature page
        "x-hash: {$xHash}" // Generated X-Hash header
    ]
]);

$result = curl_exec($curl);
$err    = curl_error($curl);

curl_close($curl);

if ($err) {
    echo "cURL Error #:" . $err;
} else {
    echo $result;
}

Note: The X-Hash must be verified on the server using your public key to ensure authenticity.

Security Best Practices
  • Keep your private key secure and never share it.
  • Rotate your keys regularly and update your public key in the portal.
  • Always use HTTPS for all API requests.
Support & Feedback

For help, contact support@bobplus.africa.
Feedback on this documentation? Let us know.

Terms of Use & Legal

By using this API, you agree to our Terms of Service and Privacy Policy. Do not share sensitive data or credentials.

V2.1.2