🔐Hash String Validation

Essential credentials required to integrate: API Encryption Key

To ensure that the data comes from the RGS-CWS and it is trustworthy, please validate the hashed_result variable that we send to your endpoints inside the body.

Apply hash_hmac('sha256',$picked_fields,$api_encryption_key) to the enumerated values (see $picked_fields below) and then compare your computed HMAC with the value of hashed_result.

If mismatch, it means that the data is insecure and you should reject it.
If it matches, it means that the data source can be trusted.

$picked_fields is a json_string composed of these fields, in the exact same order: command,timestamp,login,internal_session_id,uniqid,amount,type,userid,custom_data

Sample code in PHP for hmac signing (make sure to respect the given order):

getbalance Endpoint:

Example
PHP
Copy
hash_hmac('sha256', json_encode(array(
$data['command'], 
$data['timestamp'], 
$data['login'], 
$data['internal_session_id'], 
$data['uniqid'], 
$data['type'], 
$data['userid'], 
$data['custom_data']), 
JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES), $api_encryption_key);

balance_adj Endpoint

Example
PHP
Copy
hash_hmac('sha256', json_encode(array(
$data['command'], 
$data['timestamp'], 
$data['login'], 
$data['internal_session_id'], 
$data['uniqid'], 
$data['type'], 
$data['userid'], 
$data['custom_data'], 
$data['amount']), //compared to getbalance, we also have the amount field
JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES), $api_encryption_key);

🌏Server IP Validation

Additionally, we recommend to validate the IP from which you receive the data and to make sure that it is the RGS-CWS Server IP.

⌚Timestamp validation

Each request that we send to your API will contain a variable named timestamp in the request.
Each response that we return to your commands will contain a variable named timestamp in the response.

This will have the format of YYYY-mm-dd HH:mm:ss and will be used to inform your server about the time when the output was generated. The timezone used depends on the RGS-CWS server. Clarify this with the CWS support.

This timestamp response can be used to verify if the RGS-CWS system response was made within a certain time (for example within 30 seconds and that you are not using outdated or very old data).