Kunjungi bca.co.id

Authentication

OAuth2.0 Signature Headers

API Services

Business Banking Collection Financing FIRE Flazz General Information Notification Sakuku Virtual Account

Others

List Bank Code Give us some feedback Sandbox Tutorial

Search Result

Introduction

API Updated: April 3rd, 2023

  • New API: Internal Account Inquiry

OAuth2.0

API Key and API Secret are used for hashing HMAC. You can generate API Key and API Secret after sign in and create application.

Signature is used by BCA to verify that your request is not altered by attackers.

The outline of the HMAC validation process is as follows:

  • Retrieve Timestamp from HTTP Header (X-BCA-Timestamp)
  • Retrieve the API Key form HTTP Header (X-BCA-Key)
  • Lookup the API Secret corresponding to the received key in internal store
  • Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-BCA-Signature)
  • Calculate HMAC using the API Secret as the HMAC secret key
  • Compare client HMAC with calculated HMAC

If HMAC hash comparison is invalid API Gateway will return a HTTP 400 error code with "HMAC Mismatch" message.

Generate Signature

SHA-256 HMAC is used to generate the signature with your API secret as the key.

Signature = HMAC-SHA256(apiSecret, StringToSign)

The StringToSign will be a colon-separated list derived from some request data as below:

StringToSign = HTTPMethod+":"+RelativeUrl+":"+AccessToken+":"+Lowercase(HexEncode(SHA-256(RequestBody)))+":"+Timestamp

For GET request (with no RequestBody), you still need to calculate SHA-256 of an empty string.

Details about the data used to derived The StringToSign is explained in the next sections.

Example

Request

Request EXAMPLE ONE

Data :
  - Method : POST
  - Relative URL : /banking/corporates/transfers
  - Access token : lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS
  - Request body :
    {
      "CorporateID" : "BCAAPI2016",
      "SourceAccountNumber" : "0201245680",
      "TransactionID" : "00000001",
      "TransactionDate" : "2016-01-30",
      "ReferenceID" : "12345/PO/2016",
      "CurrencyCode" : "IDR",
      "Amount" : "100000.00",
      "BeneficiaryAccountNumber" : "0201245681",
      "Remark1" : "Transfer Test",
      "Remark2" : "Online Transfer"
    }
  - Timestamp : 2016-02-03T10:00:00.000+07:00

API Secret : 22a2d25e-765d-41e1-8d29-da68dcb5698b

Lowercase(HexEncode(SHA-256(RequestBody))) : e3cf5797ac4ac02f7dad89ed2c5f5615c9884b2d802a504e4aebb76f45b8bdfb

StringToSign : POST:/banking/corporates/transfers:lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS:e3cf5797ac4ac02f7dad89ed2c5f5615c9884b2d802a504e4aebb76f45b8bdfb:2016-02-03T10:00:00.000+07:00

Signature : 69ad66589ade078a30922a0848725cf153aecfcca82eba94e3270285b4a9c604

GET Example:

Data:
  - Method : GET
  - Relative URL : /banking/v3/corporates/BCAAPI2016/accounts/0201245680/statements?StartDate=2016-09-01&EndDate=2016-09-01
  - Access token : lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS
  - Request body :
  - Timestamp : 2016-02-03T10:00:00.000+07:00

API Secret : 22a2d25e-765d-41e1-8d29-da68dcb5698b

Lowercase(HexEncode(SHA-256(RequestBody))) : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

StringToSign : GET:/banking/v2/corporates/BCAAPI2016/accounts/0201245680/statements?EndDate=2016-09-01&StartDate=2016-09-01:lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855:2016-02-03T10:00:00.000+07:00

Signature : 3ac124303746d222387d4398dddf33201a384aa22137aa08f4d9843c6f467a48

Example

Response

Response EXAMPLE ONE

Data :
  - Method : POST
  - Relative URL : /banking/corporates/transfers
  - Access token : lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS
  - Request body :
    {
      "CorporateID" : "BCAAPI2016",
      "SourceAccountNumber" : "0201245680",
      "TransactionID" : "00000001",
      "TransactionDate" : "2016-01-30",
      "ReferenceID" : "12345/PO/2016",
      "CurrencyCode" : "IDR",
      "Amount" : "100000.00",
      "BeneficiaryAccountNumber" : "0201245681",
      "Remark1" : "Transfer Test",
      "Remark2" : "Online Transfer"
    }
  - Timestamp : 2016-02-03T10:00:00.000+07:00

API Secret : 22a2d25e-765d-41e1-8d29-da68dcb5698b

Lowercase(HexEncode(SHA-256(RequestBody))) : e3cf5797ac4ac02f7dad89ed2c5f5615c9884b2d802a504e4aebb76f45b8bdfb

StringToSign : POST:/banking/corporates/transfers:lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS:e3cf5797ac4ac02f7dad89ed2c5f5615c9884b2d802a504e4aebb76f45b8bdfb:2016-02-03T10:00:00.000+07:00

Signature : 69ad66589ade078a30922a0848725cf153aecfcca82eba94e3270285b4a9c604

GET Example:

Data:
  - Method : GET
  - Relative URL : /banking/v3/corporates/BCAAPI2016/accounts/0201245680/statements?StartDate=2016-09-01&EndDate=2016-09-01
  - Access token : lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS
  - Request body :
  - Timestamp : 2016-02-03T10:00:00.000+07:00

API Secret : 22a2d25e-765d-41e1-8d29-da68dcb5698b

Lowercase(HexEncode(SHA-256(RequestBody))) : e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

StringToSign : GET:/banking/v2/corporates/BCAAPI2016/accounts/0201245680/statements?EndDate=2016-09-01&StartDate=2016-09-01:lIWOt2p29grUo59bedBUrBY3pnzqQX544LzYPohcGHOuwn8AUEdUKS:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855:2016-02-03T10:00:00.000+07:00

Signature : 3ac124303746d222387d4398dddf33201a384aa22137aa08f4d9843c6f467a48

Signature

API Key and API Secret are used for hashing HMAC. You can generate API Key and API Secret after sign in and create application.

Signature is used by BCA to verify that your request is not altered by attackers.

The outline of the HMAC validation process is as follows:

  • Retrieve Timestamp from HTTP Header (X-BCA-Timestamp)
  • Retrieve the API Key form HTTP Header (X-BCA-Key)
  • Lookup the API Secret corresponding to the received key in internal store
  • Retrieve client HMAC from HTTP Header lowercase hexadecimal format (X-BCA-Signature)
  • Calculate HMAC using the API Secret as the HMAC secret key
  • Compare client HMAC with calculated HMAC

If HMAC hash comparison is invalid API Gateway will return a HTTP 400 error code with "HMAC Mismatch" message.

HTTP Method

SHA-256 HMAC is used to generate the signature with your API secret as the key.

Signature = HMAC-SHA256(apiSecret, StringToSign)

The StringToSign will be a colon-separated list derived from some request data as below:

StringToSign = HTTPMethod+":"+RelativeUrl+":"+AccessToken+":"+Lowercase(HexEncode(SHA-256(RequestBody)))+":"+Timestamp

For GET request (with no RequestBody), you still need to calculate SHA-256 of an empty string.

Details about the data used to derived The StringToSign is explained in the next sections.

Example

Request

curl –X GET https://sandbox.bca.co.id/open-account/marketplace/status
-H
'credentialid':'F90338EA-853B-4512-AE58-0E72BE2E88ED',
'application-id':'C5276A67-711E-468EBB14-01861D2746C6',
'channel-id':'95171'