Paths
/security/e2e/key
Exchange the session key with the server.
This API accepts the session key in the request and cache them in the session. This key will be used for all E2E cryptographic operations between client and server. Below is the details of the request format.
1. Generate 32 byte/256 bit AES encryption key and convert to HexString(64 chars) - EK
2. Generate IV and convert to HexString 32 chars - IV
3. Generate 32 byte/256 bit AES Hmac key and convert to HexString (64 chars) - HK
4. Concatenate {EK+IV+HK} and do RSA encryption with the public key. Convert the output to HexString. - Hex[PubKey{EK+IV+HK}]-encryptedPayload
5. Generate check digit of EK - encKeyCheckDigit
6. Generate check digit of HK - hmacKeyCheckDigit
For every success scenario, this api sends an encrypted server random/eventId in the response headers. Eventid will be in below format
1. Generate a 32 char secure random - SR
2. Encrypt SR with EK using IV - CipherSRBytes
3. Encode CipherSRBytes with Base64 - CipherSR_B64
4. Calculate HMAC of CipherSRBytes using HK and convert to Base64 encoded - SRHmac_B64
5. eventId in the response header will be in the form of { CipherSR_B64.SRHmac_B64 } with a dot delimiter.
A 128 bit universally unique identifier (UUID) that you generate for every request and is used for tracking. It is recommended to use the output from Java UUID class or an equivalent. If not provided by APP, PSG will generate it.
{
"default": "a7d1e304-83a9-4413-af97-62615e57eae66807840"
}
Content-Types that are acceptable for the response. Currently we support application/json.If not provided by APP, PSG will generate it.
{
"default": "application\/json"
}
This is the HTTP Content-Type.If not provided by APP, PSG will generate it.
{
"default": "application\/json"
}
HTTP Accept-Language header.If not provided by APP, PSG will add default.
{
"default": "en-US"
}
2 character ISO country code.If not provided by APP, PSG will add default(MX)
{
"default": "US"
}
business code.If not provided by APP, PSG will add default(GCB)
{
"default": "GCB"
}
Channel Id identifies the consumer from where the request comes
{
"default": "MOB"
}
sid
{
"default": "abbb4837-8343-418c-93d8-77a8519dff9e"
}
The Authorization Token received during login.The scope will be limited till APIGateway.
{
"default": "asdfkjsaldfjasfiewetowtllasgflasfspfwerfjwejrowglklasdfaslf"
}
The client ID you received during application registration in the developer portal.The scope will be limited till APIGateway.
{
"default": "29738e5a-fbbf-4b55-981d-d2f3d2a60605"
}
Session key details for exchanging with the server.
Session keys are exchanged successfully
(BAD REQUEST) - Request was not processed
Type | Code | Details |
invalid | invalidRequest | Missing Parameters |
error | chkDigitNotMatch | Check digits do not match |
error | cannotDecryptData | Cannot decrypt, please re-check the encrypted value |
Unauthorized - Client must authenticate itself to get the requested response
Type | Code | Details |
error | unAuthorized | Authorization credentials are missing or invalid |
(FORBIDDEN) - Unauthorized to perform the requested operation on resource
Type | Code | Details | More Info |
invalid | accessNotConfigured | The request operation is not configured to access this resource | Channel/Country/Business provided in the request is not supported currently |
(Not Found) - The requested resource could not be found but may be available in the future.
Type | Code | Details | More Info |
error | resourceNotFound | The requested resource was not found | Empty resource/resource not found |
(INTERNAL SERVER ERROR) - API Server Error
Type | Code | Details |
fatal | serverUnavailable | The request failed due to an internal error/server unavailability |
A 128 bit universally unique identifier (UUID) that you generate for every request and is used for tracking. It is recommended to use the output from Java UUID class or an equivalent. If not provided by APP, PSG will generate it.
{
"default": "a7d1e304-83a9-4413-af97-62615e57eae66807840"
}
Content-Types that are acceptable for the response. Currently we support application/json.If not provided by APP, PSG will generate it.
{
"default": "application\/json"
}
This is the HTTP Content-Type.If not provided by APP, PSG will generate it.
{
"default": "application\/json"
}
HTTP Accept-Language header.If not provided by APP, PSG will add default.
{
"default": "en-US"
}
2 character ISO country code.If not provided by APP, PSG will add default(MX)
{
"default": "US"
}
business code.If not provided by APP, PSG will add default(GCB)
{
"default": "GCB"
}
Channel Id identifies the consumer from where the request comes
{
"default": "MOB"
}
sid
{
"default": "abbb4837-8343-418c-93d8-77a8519dff9e"
}
The Authorization Token received during login.The scope will be limited till APIGateway.
{
"default": "asdfkjsaldfjasfiewetowtllasgflasfspfwerfjwejrowglklasdfaslf"
}
The client ID you received during application registration in the developer portal.The scope will be limited till APIGateway.
{
"default": "29738e5a-fbbf-4b55-981d-d2f3d2a60605"
}
Session key details for exchanging with the server.
200 OK
Definitions
{
"required": [
"encryptedPayload",
"encKeyCheckDigit",
"hmacKeyCheckDigit",
"algorithm"
],
"type": "object",
"properties": {
"encryptedPayload": {
"description": "Session Key exchange payload",
"example": "jlijsdifjosigjojoierowjgoijwogwehwengwijeojowjoegj"
},
"encKeyCheckDigit": {
"type": "string",
"description": "Check digit of encryption key.",
"example": "2CD345"
},
"hmacKeyCheckDigit": {
"type": "string",
"description": "Check digit of HMAC key.",
"example": "5T0985"
},
"algorithm": {
"type": "string",
"description": "Algorthm of the session keys. Currently only AES is supported.",
"example": "AES"
}
}
}
{
"required": [
"type",
"code"
],
"properties": {
"type": {
"type": "string",
"enum": [
"error",
"warn",
"invalid",
"fatal"
],
"description": "
invalid - Request did not confirm to the specification and was unprocessed & rejected. Please fix the value and try again
warn - Request was partially processed. E.g. some of the fields are missing in response to the system issues, request was accepted successfully but will be processed asynchronously
error - The request was accepted but could not be processed successfully
fatal - There was an internal system error while processing the request. These are technical errors and will be resolved by Citi, and the consumer should retry after some time. Business errors will not be categorized as fatal "
},
"code": {
"type": "string",
"description": "Error code which qualifies the error"
},
"details": {
"type": "string",
"description": "Human readable explanation specific to the occurrence of the problem"
},
"location": {
"type": "string",
"description": "The name of the field that resulted in the error"
},
"moreInfo": {
"type": "string",
"description": "URI to human readable documentation of the error"
}
}
}