This section shows you how to create a Charge using our Safe Acceptance API.
If your payment flow and use cases make use of our Tokenization API, follow the steps below
If you prefer to charge the card directly from your frontend client, follow the steps below
Why is a signature necessary when sending a request via the Xendit Safe Acceptance API?
Using this API, requests are initiated, and responses returned to, the client side instead of server-to-server. This exposes a possible security vulnerability if the requests/responses are intercepted during communication, and the interceptor interferes with the payload.
The API uses a signature as a validator for requests and corresponding responses. A signature is generated from the request and response body by hashing with a shared secret key that is only known by the merchant and Xendit.
If you verify the signature in Xendit’s response and it does not match your request body, then it is likely that the response has been tampered with and potentially exposed to fraud. The response should be rejected in that situation.
See below for the Safe Acceptance API flow including signature generation and validation.