Signing the request

We use JWS (JSON Web Signature) as the signature method for each request to authenticate it using a second factor in addition to API credentials.

Your request won’t be processed for payment automatically, but will instead appear in a queue for processing in Fuzebox. You will need to login to Fuzebox and authorise the request using a passkey stored on your computer or mobile device. This can be done in bulk or for each individual payment.

You can test the signing on sandbox and production. However, we recommend testing it particularly on production before activating it for your shoppers.

1. Setting up the trusted signing keys.
2. Creating a JWT (JSON Web Token) for each request, which includes the signature, and including that in the request header.

• Create private / public key pair.
• Store the private key in a secure manner.
• Share public key with Volt and get your assigned public key id.

Technical specifications

• We support public keys in the following formats: PKCS1, PKCS8 and x509.
• The public key length should be between 2048 and 4096 bytes.

It is recommended that you use your own PKI infrastructure, preferably based on a hardware security module (HSM), to generate a key pair for this use case as this is industry best practice.

However, as not all companies are able to manage such solutions, the following recommendations were prepared:

• Option 1: Use Fuzebox Go to Configuration > Customers > API Access > Signature Keys > Generate a key pair. Your public key will be automatically saved and you will receive a private key and public key ID in a popup message. Please bear in mind that Volt does not save this private key.

• Option 2: Generate outside of Fuzebox You can also generate your private / public key pair using a terminal which supports the openssl command. If you generated the key pair outside of Fuzebox, please upload your public key to Fuzebox under Configuration > Customers > API Access > Signature Keys > Upload an existing public key.

Once you upload the public key, you will get a key ID (a UUID) which you’ll need to use when generating your signed token on each refund or payout request. Please keep this ID safe.

Example of an ID: 901659f9-c0fd-4d2e-82b8-a55f51f80d73.

Once you have the private key and the public key ID, you can proceed with signing the requests. To sign each request, you will need to provide a JWT token in the header of that request.

To generate a signed JWT token, you’ll need:

• Your private key.
• Your public key ID.
• The payload (the JSON body) of the POST request for your Refund or Payout.

You need to create two parts for your JWT token: the header and the signature.

The token header segment The header should be created first as a JSON object:

• alg: represents the algorithm used to encode/decode the token, in this case it’s RS256 (the RSA+SHA256 algorithm).
• typ: should be JWT.
• kid: the ID of the public key that we supplied you (UUID).

Example JSON object:

Encoding the header Remove any extra spaces or line breaks, then encode it using the base64UrlEncoded algorithm.

Example code:

Example encoded header:

The signature segment To create the signature segment, use the algorithm specified in the header and the private key. You’ll need the payload you’re sending in the POST request.

Example code to generate signature:

Example signature:

To build the final JWT token, take the encoded header and join it to the signature using two dots ...

Example code:

Example final JWT token:

Add the X-JWS-Signature header to each request, containing the JWT token you created.

Header name: X-JWS-Signature

Example: