Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
InPost Pay
Solution Concept
The InPost Pay solution helps finalize the purchasing process (checkout) in the InPost Mobile app based on the integration with different platforms/online stores.
The solution addresses basic problems present on the e-commerce market:
Purchases in the guest mode, without the need to create an account in several stores
No need to provide the delivery/invoice data etc.
Shortening the time required from displaying the product to finalizing the purchase
Reducing the number of abandoned baskets
The Merchant – Inpost Pay integration includes the following elements:
https://dokumentacja-inpost.atlassian.net/wiki/spaces/PL/pages/130023427/Widget + Backend InPost Pay - Widget – A widget that makes it possible to integrate the websites (frontend) of merchants with InPost Pay
InPost Pay (Basket_App) – a module which provides access to the API, which makes it possible to exchange information regarding the basket and the processing of the order
The basic scenario of using InPost Pay by an end user is as follows:
The user displays the website of a merchant (the mobile version, and the desktop version), when moving to the page of the product chosen
The User selects the button "Kup z InPost Pay"
The Product is added to the basket at a merchant's. The merchant transfers the basket's data to InPost Pay (Basket App). The basket is marked as synchronized with InPost Pay.
The InPost Mobile displays the message push: A new basket awaiting for payment appears.
The user opens the InPost Mobile app with the selected basket on their phone.
The app automatically sets the delivery method chosen, and the default payment form on the basis of the user's profile in InPost Mobile.
After choosing the operation "Kupuję i płacę " (Buy and pay), InPost Pay creates an order at the merchant based on the current basket.
The user makes the payment in the InPost Mobile app
The merchant is notified of the execution of the payment
10. The Merchant creates and sends the shipment in the standard way.
11. The merchant notifies InPost Pay of the shipment they used to fulfill the given order.
Integration with InPost Pay takes place through "the basket". The products the user wants to buy using Inpost Pay are added to the basket at a merchant's. The merchant notifies InPost Pay of any changes in the basket. The notification is made only for such baskets, for which the user selects the action Kup z InPost Pay at least once (the basket is synchronized with InPost Pay)
When the user makes changes in a synchronized basket on the merchant's website (number of pieces changed, new products added to the basket), the merchant transfers the changes to InPost Pay. InPost Mobile refreshes the screen with the basket in the app for the user.
The Integration assumes that the user can perform in InPost Mobile specific operations on the basket, for instance change the number of pieces, enter a rebate code etc. Each time, such an information is transferred to the merchant. Upon calculating the content of the basket, the merchant sends it back to InPost Pay.
Before purchasing, the user accepts the merchant's terms and conditions.
The User may pay for a synchronized basket on the merchant's website. In such a case, the order is not realized by InPost Pay. The merchant notifies InPost Pay of finalizing the basket in another channel.
Info |
---|
The Integration with InPost Pay does not affect the integration with InPost's systems rekated to generating shipments, currently implemented by the merchant. |
Headers
The following headers (headers) are added to all services called by Merchants in Basket-app. Currently, they are optional. Eventually Basket-app will have these headers set as required:
x-signature
- signature
x-signature-timestamp
- ISO8601 datetime string in UTC timezone with time of signature generation ex. 2023-05-11T15:02:23.429Z
x-public-key-ver
- version of keys used to generate signature
x-public-key-hash
- SHA-256 hash of public key used to generate signature
Signature verification algorithm
Signature verification algorithm:
Recipient receives signed request with headers:
x-signature
- signaturex-signature-timestamp
- ISO8601 datetime string in UTC timezone with time of signature generation ex.2023-05-11T15:02:23.429Z
x-public-key-ver
- version of keys used to generate signaturex-public-key-hash
-SHA-256
hash of public key used to generate signature
Recipient checks if already have cached public key with given version
key present in cache:
recipient checks if public key hash matches calculated as:
SHA-256
hash frompublic_key_base64
field. if verification is:positive - continue
negative - reject request
key not present in cache:
obtain public key from
/v1/izi/signing-keys/public/{keyVersion
} or/api/v1/izi/signing-keys/public
and verify hash as above
Prepare base64 string that consists of
DIGEST,external-merchant-id,x-public-key-ver,x-signature-timestamp
. Values are separated with commasx-public-key-ver
,x-signature-timestamp
from headers, use empty value if header is missing.merchant_external_id
value comes from endpoints/v1/izi/signing-keys/public/{keyVersion
} and/v1/izi/signing-keys/public
asmerchant_external_id
fieldDIGEST
: base64 form ofSHA-256
hash (Message Digest) generated from request body. Use empty byte array as request body if body is missing.
Decode base64 signature and verify it with the
SHA256withRSA
algorithm for the given public key and signature string. If verification:positive - continue
negative - reject request
Recipient compares
x-signature-timestamp
value to current time. If difference is:less or equal to 240s - continue
bigger than 240s - reject request
Manual signature verification:
curl --location 'http://{basket-app-host}/basket-app/api/v1/izi/signing-keys/public/{keyVersion}'
replace {Unknown macro: { {keyVersion}}}with value from header:
x-public-key-ver
echo "$PUBLIC_KEY_BASE64" | openssl base64 -d -A | openssl rsa -pubin -inform DER -outform PEM -out pubkey.pem
replace$PUBLIC_KEY_BASE64
with value from field:public_key_base64
DIGEST=$(echo -n "$(<message_body)" | openssl dgst -sha256 -binary | openssl enc -base64 -A)
wheremessage_body
is a file with EXACT request body (without any additions, whitespaces etc.)echo -n "$DIGEST,$EXTERNAL_MERCHANT_ID,$KEY_VERSION,$SIGNATURE_TIMESTAMP" | openssl enc -base64 -A -out signature_string
where$EXTERNAL_MERCHANT_ID
value is from public key endpoint - fieldmerchant_external_id
,$KEY_VERSION
value is from headerx-public-key-ver
and$SIGNATURE_TIMESTAMP
value is fromx-signature-timestamp
openssl enc -base64 -d -A -in request_signature -out signature.bin
whererequest_signature
is a file with value from headerx-signature
openssl dgst -sha256 -verify pubkey.pem -signature signature.bin signature_string
should printVerified OK
Glossary
Term | Definition |
InPost Pay | An entire IT solution consisting of several systems which handle the purchase finalizing process for different merchants in the InPost Mobile app. |
InPost Moblie | The currently operational InPost Moblie app which makes it possible to track and send shipments. |
Merchant | A store/a platform which offers product sales online, integrated with InPost Pay. |
Basket | One or several products that the User selects on the merchant's website. The content of the basket is transferred to InPost Pay. |
User | An end user who makes purchases om the merchant's website and who has the InPost Moblie app. |
Bank | Aion Bank. |
Pay Widget | An element embedded on the Merchant's website, which makes it possible to select the options Kup z InPost Pay, and to link a computer with the InPost Moblie application. |
Order | An entity created from a basket after its purchase is initiated by the User |
Trusted/linked browser | An instance of a web browser which operates on the specific device, added to trusted IM apps. Only a trusted browser may add products to a basket in InPost Moblie. |
Merchant onboarding | Integration of the Merchant with InPost Pay system. The process of "creating" a Merchant in the Aion systems for the needs of processing the payments, and for Merchant Financing |
InPost Mobile onboarding | Downloading the InPost Mobile app, and logging a user in by entering and verifying a phone number. |
InPost Pay onboarding | Acceptance of the Terms and Conditions of InPost Pay service and entering the first name, last name, and the e-mail address for retail customers (natural persons not businesses). |