API
API
How to use the API as a merchant.
JSON protocol
All requests and responses are in JSON format and use the following conventions:
- Fields Naming: All field names are written in camelCase.
- Mandatory Fields: All fields are mandatory unless explicitly stated otherwise.
- Case Sensitivity: All fields and their values are case-sensitive.
- Encoding: All strings use UTF-8 encoding.
- Monetary Values: All monetary values are represented in decimal format, with a dot as the decimal separator (e.g., 123.45).
Note
No cookies or client ids or secrets are used in the API.
API calls
The API uses mutual TLS (mTLS) for authentication and encryption. Each merchant is issued a unique certificate and private key, and all API calls must be signed with the merchant’s certificate.
- Merchants can generate a new certificate within the back-office interface.
- The root CA certificate used to sign the merchant’s certificate can also be obtained from the back-office to verify the authenticity of API calls.
- The minimum supported TLS version is 1.2.
Key Points for API Requests:
- All API requests must be signed using the merchant’s private key.
- Krofort will validate the request’s authenticity using the merchant’s certificate.
Key Points for API Responses:
- All API responses are signed with Krofort’s root private key.
- Merchants should verify API responses using Krofort’s public root certificate.
Note
The minimum TLS version is 1.2.
For instructions on generating a certificate see Generating Certificates.