1. Getting Started
XL DCB API for Partner
  • Getting Started
    • Introduction
    • Authentication
    • Headers
    • Recurring (Subscription)
    • On-Demand (One-Time Charge)
    • Callbacks (Webhooks)
    • Errors & Response Codes
    • Notes (Partner Guidance)
  • Subscriptions
    • Create Subscription (Initiate)
      POST
    • Confirm OTP
      POST
    • Unsubscribe
      POST
  • OnDemand
    • Create one-time charge (OTP flow)
      POST
    • Confirm OTP (execute charge)
      POST
    • Check transaction status
      GET
  1. Getting Started

Authentication

01 - Authentication#

Authentication Method#

All partner-facing endpoints use:
API Key
HMAC Signature
Anti-replay protection (timestamp window + unique nonce)
Triyakom will provide:
X-Partner-Id
X-Api-Key
HMAC Secret

Signature#

StringToSign#

METHOD + "\n" +
PATH + "\n" +
X-Timestamp + "\n" +
X-Nonce + "\n" +
SHA256(BodyRaw)

Signature Value#

X-Signature = Base64(HMACSHA256(hmacSecret, stringToSign))
Berikut versi yang sudah dirapikan untuk Apidog markdown:

Signature — Worked Example#

Given the following inputs:
InputValue
Partner Secretsup3r-s3cr3t-hmac-key
METHODPOST
PATH/partner-dcb/v1/subscriptions
X-Timestamp2026-07-01T08:00:00Z
X-Noncea1b2c3d4e5f64789abcdef1234567890
Raw Body{"msisdn":"628123456789","product_id":"DAILY_BASIC","partner_ref_id":"ORDER-001","amount":2000,"payment_method":"XL"}
Step 1 — Hash the raw body with SHA256 (lowercase hex):
SHA256(RawBody) = 57319404d1f0675f809fcd014bb2083e1d229df553a5b2355fcaadec901ffbdb
Step 2 — Assemble StringToSign (fields joined by \n newline character):
POST\n/partner-dcb/v1/subscriptions\n2026-07-01T08:00:00Z\na1b2c3d4e5f64789abcdef1234567890\n57319404d1f0675f809fcd014bb2083e1d229df553a5b2355fcaadec901ffbdb
Step 3 — Compute HMAC-SHA256 of StringToSign using Partner Secret (lowercase hex):
X-Signature = 9aa9cb658b8af3480a2ada9da660868e4c052eab01ca50304f24f5e83f2a50ea
Code Reference:
Python
PHP
JavaScript (Node.js)
C#
⚠️ Important notes:
The raw body used for hashing must be byte-for-byte identical to what is sent in the HTTP request (same encoding, same whitespace).
Both SHA256(RawBody) and X-Signature must be lowercase hex strings.
X-Nonce must be a unique UUID v4 per request (reuse will be rejected with DUPLICATE_NONCE).
X-Timestamp must be within ±300 seconds of server time (rejects stale/future requests).

Anti-Replay#

Requests are rejected if:
X-Timestamp is outside the allowed window (recommended ±5 minutes), or
X-Nonce has already been used by the same partner.
Modified at 2026-05-11 09:36:55
Previous
Introduction
Next
Headers
Built with