Respond to authorization requests
This guide describes how to respond to remote authorization requests sent from Airwallex.
- Contact your Airwallex Account Manager to enable Issuing APIs, Cards, Remote Authorization for your Airwallex account.
- If you have a Scale platform account, enabling remote authorization on the platform account also enables remote authorization for connected accounts.
- Obtain your access token API by authenticating to Airwallex using your unique Client ID and API key. You will need the access token to make API calls.
- Configure remote authorization, including HTTPS endpoint, default action, etc., using Update issuing config API. For more information, see Configure remote authorization.
In addition to the request body, Airwallex attaches a digital signature to each request to allow you to verify that the remote authorization request was sent by Airwallex.
The signature and the nonce are sent using the following request headers:
x-signature: Contains the signature sent as a base-64 string.
x-nonce: Contains a HMAC-SHA256 encoding of a randomly generated nonce. Prepended to the nonce is an epoch timestamp in milliseconds, which can be used to validate the timeliness of the received message.
Follow these steps to validate that the remote authorization request received is legitimate and authentic:
- Extract the
x-noncefrom the request header.
- Compute an HMAC with the SHA-256 hash function on the
x-nonce, using your configured
shared_secretas the key.
- Compare the
x-signaturein the header to the expected signature. Additionally, the timestamp prepended on the
x-noncebefore the ‘.’ delimiter can be used to validate the timeliness of the received message.
- If a signature matches, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
Once your remote authorization endpoint has been configured, remote authorization data will be included as a field in webhook notification payloads and transaction API responses to allow you to better understand how your decision has affected the overall authorization process. This field will only be returned for transactions that require remote authorization. Shown below is an example of this field in the transaction response:
You can retrieve the status of all authorizations (single message and dual message) processed against your cards. For information, see Retrieve authorizations.