:)Get Started Krungsri API portal

How to get started with Krungsri API portal...

Lorem Ipsum is simply dummy text of the printing and typesetting industry.

 

:)How to get started

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

 

:1Sign Up

To start try our APIs, you need to sign up for an account.
Step to do:
  • Go to Sign Up page.
  • Fill in Sign Up form and Submit, then we'll send you an email with a link to activate your account.
  • Click Link to Activate account, then Log In.
  • In My Apps page you can see Sandbox Application that we created 1 for your account.

1.1 Play in our Sandbox

If you are passing by or non-technical guy you can easily obtain how our APIs work by craftly create GUI on our API explorer.
Step to do:
  • Go to Sandbox Explorer Page
  • Click button Get Token. It will automatically call authentication API and get Bearer Token for you.
  • Select API to play.
  • Input parameter.
  • Click Submit to call API.
GS_001.png

1.2 If you has experience and want to feel real life API call so please use HTTP Client that you like (ex. Postman, SOAPUI, HTTPBOT, etc) to play with sandbox.

To be more precise please embrace our nicely create authentication method below.
For Server-to-Server we use OAuth2 Client Credentials to secures these APIs. All APIs specification provided on the Developer Portal are swagger 2.0 based. The swagger file describes all information required to make a valid request and all the needed authentication in the securityDefinitions section. The swagger file can be downloaded from the Developer Portal.
GS_002.png

a. Request Access Token: OAuth2 Client Credentials Grant

The partner application needs to provide its own credentials to connect to OAuth2 API with Basic Authentication (Client ID and Client Secret) to retrieve an access token.
A typical request access token would look like this, where the scope is not specified:
                        
curl -X POST -d "grant_type=client_credentials" -H "Authorization: Basic bDdjZW..."
https://sandbox.api.krungsri.com/auth/oauth/v2/token
                        
                    
With scopes provided:
                        
curl -X POST -d "scope=transfer:onus+inquiry:offus&grant_type=client_credentials" -H "Authorization: Basic bDdjZW..."
http://sandbox.api.krungsri.com/auth/oauth/v2/token
                        
                    

b. Response Access Token

Various responses are possible, where only HTTP status 200 means a successful authentication:
HTTP POST method was not used
                        
HTTP/1.1 405 Method Not Allowed
{
"error":"invalid_method",
"error_description":"GET not permitted"
}
                        
                    
The pair Client ID, Client Secret is not valid. Please recheck these values in the Developer Portal and ensure the application is active
                        
HTTP/1.1 401 Unauthorized
{
"error":"invalid_client",
"error_description":"The given client credentials were not valid"
}
                        
                    
The “Required Grant Type” is empty, and client_credentials grant type should be part of it
                        
HTTP/1.1 401 Unauthorized
{
"error":"unauthorized_grant_type",
"error_description":"No configuration allow_grant_type for this client has been requested"
}
                            
                    
The client_credentials grant type is not part of the “Required Grant Type” list
                        
 HTTP/1.1 401 Unauthorized
 {
 "error":"unauthorized_grant_type",
 "error_description":"The specified value for grant_type is not allowed for the client"
 }
                            
                    
Invalid grant type value, please recheck it is set to client_credentials
                        
HTTP/1.1 400 Bad Request
{
"error":"unsupported_grant_type",
"error_description":"The given grant_type is not supported"
}
                            
                    
The required scope is not part of the allowed scope in the Developer Portal
                        
HTTP/1.1 400 Bad Request
{
"error":"invalid_scope",
"error_description":"No registered scope value for this client has been requested"
}
                            
                    
Successful authentication with the requested scope(s)
                        
HTTP/1.1 200 OK
{
"access_token":"11da2e69-1774-4e9a-b0ab-103b4669110d",
"token_type":"Bearer",
"expires_in":3600,
"scope":"transfer:onus inquiry:offus"
}
                            
                    
Successful authentication with the default scope
                        
HTTP/1.1 200 OK
{
"access_token":"008b3a58-065e-422c-b97f-3efe75017a64",
"token_type":"Bearer",
"expires_in":3600,
"scope":"oob"
}
                            
                    

c. Call Any API with Access token

The access token can then be used to make an API call for example:
A typical request access token would look like this, where the scope is not specified:
                        
curl -X POST -H "X-Client-Transaction-ID: 4b3214dd-4db0-496a-baf1-b269f33fde1f"
-H "API-Key: l7cee87..."
-H "Content-Type: application/json; charset=UTF-8"
-H "Authorization: Bearer 11da2e69-1774-4e9a-b0ab-103b4669110d"
--data [JSON_BODY_DATA] https://sandbox.api.krungsri.com/[END_POINT]
                            
                        
The following request header headers are commonly used. Note that a header field is case insensitive according to RFC 7230 (section 3.2).
Authorization
Description

Bearer type authentication (OAuth Token) are supported. The swagger file describes the API requirements. More information about authentication and authorization can be found here.

Examples

Bearer mytoken123

API-Key
Description

Client ID from Partner Application

Examples

l7ee87…

Content-Type
Description

When there is a request body, indicated the content type according to RFC 7231 (section 3.1.1.5) Most APIs today only support content type: application/json, where UTF-8 is mandated.

Examples 1

application/json; charset=utf-8

Examples 2

application/xml ; charset=TIS-620

X-Client-Transaction-Datetime
Description

Date and Time on the client side, following format ISO8601.

Examples

1997-07-16T19:20:30.45+07:00

X-Client-Transaction-ID
Description

UUID v4 (based on RFC4122), generated by the client. It is used to identify uniquely the transaction for audit or investigation purpose. It is the client responsibility to make it unique. The gateway does not validate its uniqueness. See below for sample code provided to help our developers generate UUID v4.

Examples

38359a61-8128-4aba-9e7f-2f556610fa76

X-Signature
Description

Signature of request body using the “Signature Key” as provided in the Application Information, inside the Developer Portal. Algorithm used: HMAC SHA-256 More information and sample code are provided in the next section here

Examples

hKUKvKvcYQu7gmqrYOOq6F1D2Lt+Js/mG4D3vj/fxmk=

Header Field Description Examples
Authorization Bearer type authentication (OAuth Token) are supported. The swagger file describes the API requirements. More information about authentication and authorization can be found here. Ex1:
Bearer mytoken123
API-Key Client ID from Partner Application l7ee87…
Content-Type When there is a request body, indicated the content type according to RFC 7231 (section 3.1.1.5) Most APIs today only support content type: application/json, where UTF-8 is mandated. Ex1:
application/json; charset=utf-8
Ex2 :
application/xml ; charset=TIS-620
X-Client-Transaction-Datetime Date and Time on the client side, following format ISO8601. 1997-07-16T19:20:30.45+07:00
X-Client-Transaction-ID UUID v4 (based on RFC4122), generated by the client. It is used to identify uniquely the transaction for audit or investigation purpose. It is the client responsibility to make it unique. The gateway does not validate its uniqueness. See below for sample code provided to help our developers generate UUID v4. 38359a61-8128-4aba-9e7f-2f556610fa76
X-Signature Signature of request body using the “Signature Key” as provided in the Application Information, inside the Developer Portal. Algorithm used: HMAC SHA-256 More information and sample code are provided in the next section here hKUKvKvcYQu7gmqrYOOq6F1D2Lt+Js/mG4D3vj/fxmk=

d. Response from API

The following response headers are commonly used.
Content-Type
Description

Indicates the response content type according to RFC 7231 (section 3.1.1.5) Most APIs today only support content type: application/json, where UTF-8 is mandated.

Examples 1

application/json; charset=utf-8

Examples 2

application/xml ; charset=TIS-620

X-Client-Transaction-ID
Description

UUID (based on RFC4122) provided in the request header by the Client to identify uniquely the transaction.

Examples

38359a61-8128-4aba-9e7f-2f556610fa76

X-Server-Transaction-ID
Description

UUID generated by the Krungsri API gateway to uniquely identify the transaction

Examples

ed572fae-80a5-4763-a0c7-1cc60a3ba2b5

X-Server-DateTime
Description

Date and Time on the server side, following ISO8601 format

Examples

1997-07-16T19:20:30.45+07:00

What is Client ID, Client Secret And Message Signature

Client ID(API-Key)
The public identifier of your application. It’s used in every call so we can tell who’s requesting information.
Client Secret
This is the private identifier of your application. It allows us to verify your identity in the authentication step of our APIs.
Message Signature

Following API international best practices, message signature brings additional security on top of the standard network encryption for highly sensitive API calls. In the (unlikely) case the network layer security is compromised, this additional security layer adds complexity of a hacker to alter the message request and its associated signature.

Keyed-Hashing for Message Authentication Code (HMAC) using SHA-256 is used to create a hashed signature. The symmetric key is the “Signature Key” registered in the Developer Portal, as part of the Application detailed information.

GS_003.png

On top of this: BASE64 encoding is used to convert byte arrays with strings. When text information needs to be hashed, it is first encoded in UTF-8 format.

Simply writing in pseudo-code:

  • Signature = BASE64 (hmac-sha256 (my-byte-array, signature-key))
  • Signature = BASE64 (hmac-sha256 (UTF8-byte-array (my-text), signature-key ) )

For testing purpose, the following sample data is provided:

  • Signature Key: 12345678901234567890123456789012
  • Text: {"message","hello"}
  • Signature: WDNZzm22RFQs1uZUXmgVDgjDz379GzBbG939DJNP+8A=
Javascript
                            
package demo;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Calendar;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

public class DemoHMAC {
  private static final String SIGNATURE_KEY = "12345678901234567890123456789012";
  private static final String ALGORITHM = "HmacSHA256";

  public static String doHmacSha256Base64(String payload) throws UnsupportedEncodingException, NoSuchAlgorithmException, InvalidKeyException {
    byte[] hexKey = SIGNATURE_KEY.getBytes("UTF-8");        
    byte[] body = payload.getBytes("UTF-8");
    Mac sha256HMAC = Mac.getInstance(ALGORITHM);
    SecretKeySpec secretKey = new SecretKeySpec(hexKey, ALGORITHM);
    sha256HMAC.init(secretKey);
    //warning: a Mac instance is not thread safe
    byte[] hmacByte = sha256HMAC.doFinal(body);
    String base64Hmac = Base64.getEncoder().encodeToString(hmacByte);
    return base64Hmac;
  }
  public static void main(String[] args) throws Exception {
    long startTime = Calendar.getInstance().getTimeInMillis();
    String requestBody = "hello";
    String hmac1 = DemoHMAC.doHmacSha256Base64(requestBody);
    //request.setHeader("X-Signature", hmac1);

    long elapsedTime = Calendar.getInstance().getTimeInMillis() - startTime;

    System.out.println("Base64 Signature : " + hmac1);
    System.out.println("Time to calculate : " + elapsedTime + "ms");
  }
}

                                
                            
GO
                            
package main;
import (
  "crypto/hmac"
  "crypto/sha256"
  "encoding/base64"
  "encoding/hex"
  "fmt"
)
  func main() {
    requestBody := []byte("hello")
    signatureKey := []byte("12345678901234567890123456789012")

    hash := hmac.New(sha256.New, signatureKey)
        hash.Write(requestBody)
        
        hex.EncodeToString(hash.Sum(nil))
        xSignature:= base64.StdEncoding.EncodeToString(hash.Sum(nil))
        
        fmt.Println("Base64 Signature : " + xSignature)
}
                                
                            
Node.js
                            
var crypto = require('crypto')
  , requestBody = 'a\u25CFa'
  , signatureKey = '12345678901234567890123456789012'
  , xSignature

  xSignature = crypto.createHmac('sha256', signatureKey).update(requestBody, 'utf8').digest('base64')
  console.log("Base64 Signature : ", xSignature)
                                
                            
step-1
mac-mockup
step-1
mac-mockup

:1How to Become Partner

We are ready to help you reach your goals as a financial technology partnership to keep your business moving faster. In order to integrate with our production APIs, submit your idea through Contact Us menu. Then our sales will check out your business needs to determine if we 'll be a good fit, you’ll agreed with Krungsri’s Terms and Conditions then sign the MOU.
  • Our technical team will support on the integration.
  • API Testing will be performed and validated base on your use cases.
  • Once we are good on the testing then integrate to production APIs
  • Go live

:)Our Features

Select an feature to edit and view...

Try Sandbox now!

Start explaning Sandbox and more resources...

Go to Sandbox
Become our Partner

Start using UAT and more resources...

Send Inquiry Email

:)Introduction

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book.

:) Client ID/Password

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text.

  • Lorem Ipsum* is simply dummy text of the printing
  • Lorem Ipsum* is simply dummy text of the printing
Learn More
mac-mockup
mac-mockup
step-1
mac-mockup

:) Token

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text.

  • Lorem Ipsum* is simply dummy text of the printing
  • Lorem Ipsum* is simply dummy text of the printing
Learn More
mac-mockup
mac-mockup
step-1
mac-mockup

:) Sandbox

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text.

  • Lorem Ipsum* is simply dummy text of the printing
  • Lorem Ipsum* is simply dummy text of the printing
Learn More
mac-mockup
mac-mockup
step-1
mac-mockup