Documentation
Raya API is a compilation of Application Programming Interfaces (APIs) developed by Bank Raya that enables your application to integrate with Bank Raya banking services easily and quickly. Raya API enables your company to streamline your customers’ financial activities.
Authentication
Raya API uses the OAuth 2 Authorization Framework to grant a third-party access to user accounts on an HTTP service. Before processing an API request to a Raya API product, you have to retrieve a token by calling the Get Token endpoint.
As an additional security in every API request, Raya API is using signature to ensure that data in every request and response can not be hijacked and copied by an unauthorized user. Signature is generated using HMAC_SHA512 algorithm.
Parameters below should be put in header for every API request (exept for Get Token endpoint):
| Key | Value |
|---|---|
| Accept | Application/json |
| Content-type | Application/json |
| Authorization | Bearer <String: Token> |
| X-SIGNATURE | <String: Signature> |
| X-TIMESTAMP | <String: Timestamp> |
| X-PARTNER-ID | <String: Partner ID> |
| X-EXTERNAL-ID | <String: External ID> |
| CHANNEL-ID | <String: Channel ID> |
Token
This endpoint is used to generate a token which is required for every API call. Enter this token in the Authorization header.
HTTP Request
POST https://api.sandbox.bankraya.co.id/oauth/accesstoken?grant_type=client_credentials
Request Header
| Key | Value | Mandatory |
|---|---|---|
| Content-Type | application/x-www-form-urlencoded | Yes |
Request Body
| Field | Data Type | Mandatory | Deskripsi |
|---|---|---|---|
| client_id | string | Yes | Consumer key |
| client_secret | string | Yes | Consumer secret |
Request Example
curl --location --request POST 'https://api.sandbox.bankraya.co.id/oauth/client_credential/accesstoken?grant_type=client_credentials' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=xxxxxxxxxxxxxxxxxxx7kuJAyQkWpt' \
--data-urlencode 'client_secret=123xxxxxxxxxxxxxOx'
Response Example
{
"refresh_token_expires_in": "0",
"api_product_list": "[inquiry-sandbox]",
"api_product_list_json": [
"inquiry-sandbox"
],
"organization_name": "bankraya",
"developer.email": "[email protected]",
"token_type": "BearerToken",
"issued_at": "1557891212144",
"client_id": "8E20dpP7KtakFkShw5tQHOFf7FFAU01o",
"access_token": "R04XSUbnm1GXNmDiXx9ysWMpFWBr",
"application_name": "317d0b2f-6536-4cac-a5f0-3bc9908815b3",
"scope": "",
"expires_in": "179999",
"refresh_count": "0",
"status": "approved"
}
Signature
Signature ensure that the data sent is authentic and can not be rebutted. Signature is made from an determined payload, with Symmetric-Signature format: HMAC_SHA512 (clientSecret, stringToSign) and formula stringToSign = HTTPMethod+”:“+ EndpointUrl +":"+ AccessToken+":“+ Lowercase(HexEncode(SHA-256(minify(RequestBody))))+ ":“ +TimeStamp"
The end result will be put on X-SIGNATURE attribute on Header.
Payload
Payload consist of verb, path, token, timestamp, and body. Payload example:
POST:/snap/v1.0/balance-inquiry:PyzdfxJfX9J9031yRvlgHlGe0RK9:2e7f527e3a923fd906168cf4d2dd132eb080f2189a0e08935083bb6122925527:2022-12-09T03:45:20.741Z
Payload Element
| Name | Description | Example |
|---|---|---|
| Path | Value in path i.e. URL after hostname and port without Query Parameters |
from https://api.sandbox.bankraya.co.id/snap/v1.0/balance-inquiry to /snap/v1.0/balance-inquiry |
| Verb | HTTP method in uppercase | GET, POST |
| Token | The token is used for the Authorization header | Bearer miGNKBeg1H9efJ75kQAvbnbGRdGZ |
| Timestamp | Timestamp when you call the API. Timestamp format must follow ISO8601 format (yyyy-MM-ddTHH:mm:ss.SSSZ) | 2022-08-09T13:47:56.726Z |
| Body | Request body that used for API Call |
{"accountNo":"001001000060300"} Note: Be aware that you must enter the exact same body you are submitting. Due to the difference in letters, spaces, and lines may cause different Signatures. |