Testing our API’s
To begin testing our APIs, you will first need to be onboarded to our User Acceptance Testing (UAT) environment. This will allow you to test the APIs and understand how they work before moving into production.
For flexibility, you have two options:
-
Rapid Testing: For quick and easy testing, you can use the tool below. It allows you to rapidly generate client assertions and perform payload signing and encryption without writing any code. This is the fastest way to test the signing and encryption functionality.
-
Manual Coding: You can write your own code for client assertion signing and payload signing and encryption, giving you complete control over the process. This option is ideal if you prefer to integrate these tasks directly into your development environment.
Use the tool below to generate your client assertions and sign/encrypt payloads for testing in the UAT environment.
How to get onboarded
To be onboarded, please contact your Relationship Manager, who will guide you through the process. Once you are successfully onboarded, you will be provided with the following:
- Encryption Keys: A set of public and private keys to use for secure interactions with the API.
- API Key: Your unique API key to authenticate your requests.
- Client Code: A unique identifier for your application, used as the sub (subject) in the JWT payload.
Once onboarded, you can access our UAT environment, where you will be able to test our APIs using the signing and encryption processes outlined in this guide.
How to test
After onboarding, you will be able to test our APIs by using the tools we provided below:
- Client Assertion JWT Signing: You can sign your client assertions using your provided private key and test your API calls with the JWT-based authentication.
- Payload Signing and Encryption: You will be able to sign and encrypt payloads to ensure data integrity and confidentiality during testing.
- Generate cURL Commands: Automatically generate a cURL command to request an authentication token and send API requests
This guide will walk you through the steps for testing, including signing client assertions and encrypting payloads, ensuring secure communication with our APIs in the UAT environment. If you need any assistance during the process, your Relationship Manager will be available to help.
How to use client assertion JWT signing and payload signing and encryption
- Prepare the JWT payload:
- Include the required client code sub (subject) in the Subject (sub) - Client ID: field, and in aud (audience) enter the token endpoint URL.
- Note: The client code will be supplied as part of the onboarding process, which will be facilitated by your Relationship Manager.
- Sign the JWT:
- Enter your private key (in PKCS#8 format) to sign the JWT using the RS256 algorithm. The signed JWT becomes your client_assertion.
- Note: The private and public keys will be supplied as part of the onboarding process, which will be facilitated by your Relationship Manager.
- Make the API request:
- Send a POST request to the token endpoint with the following parameters:
- grant_type=client_credentials
- client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
- client_assertion=[Your Signed JWT]
- Send a POST request to the token endpoint with the following parameters:
- Receive the Token:
- If the request is successful, you will receive a bearer token (access token) in the response, which can be used to access the APIs.
How to use payload signing and encryption
- Prepare the Payload:
- Enter the payload data that you need to send in the Payload field. This will be the data you want to sign and encrypt before sending it through the API.
- Sign the Payload:
- Enter your private key (in PKCS#8 format) in the Signing Private Key field to sign the payload using the RS256 algorithm.
- The signed payload will ensure the integrity and authenticity of the data.
- Encrypt the Signed Payload:
- Enter the public key (in SPKI format) provided by ANZ in the Encryption Public Key field. This will be used to encrypt the signed payload.
- The payload is now encrypted, ensuring confidentiality.
- Make the API Request:
- Send the signed and encrypted payload to the respective API endpoint as part of your API request.
- The receiving system will decrypt the payload using the provided public key and verify the signature to ensure data integrity.
By following these steps, you can use the tools provided to easily sign and encrypt your payloads, ensuring secure communication with the APIs during testing.
How to Import a cURL Command into Postman and Insomnia
Importing a cURL Command into Postman
-
Copy the cURL Command: Make sure you have the full cURL command ready.
-
Open Postman: Launch the Postman application.
- Import the cURL Command:
- Click on the “Import” button located in the top left corner.
- In the “Import” modal, select “Raw text”.
- Paste your cURL command into the text area.
- Click the “Continue” button.
- Postman will parse the cURL command and convert it into a new request.
- Review the Imported Request:
- Make sure all details (method, URL, headers, and body) are correctly imported.
- You can now execute the request by clicking the “Send” button.
Importing a cURL Command into Insomnia
-
Copy the cURL Command: Ensure you have the cURL command copied.
-
Open Insomnia: Launch Insomnia on your computer.
- Import the cURL Command:
- Go to the “File” menu at the top.
- Select “Import” > “From Clipboard”.
- Insomnia will automatically recognize the cURL command and create a new HTTP request.
- Review the Imported Request:
- Verify that the request details (method, URL, headers, and body) match what was specified in the original cURL command.
- You can send the request using the “Send” button.
Troubleshooting Tips
- If you receive a 404 Not Found or other errors, double-check the following:
- URL: Make sure the URL is correct and accessible.
- Headers and Tokens: Verify that authorization tokens or headers are present if required.
- Method: Confirm that the correct HTTP method (GET, POST, etc.) is used.
Additional Information
- When importing cURL commands, Postman and Insomnia will try to automatically parse the headers, method, and body from the command. Always review the imported request to ensure it meets your requirements.
- Make sure you have a working internet connection and the API endpoint is accessible from your network.
With these steps, you can easily import and test your cURL commands in Postman and Insomnia.
Step 1. Client Assertion JWT Signing
In this step, you will create a Client Assertion, which is a JSON Web Token (JWT) signed with your private key. The Client Assertion is used to securely authenticate your application when requesting an access token from the API. By signing the JWT, you are proving the identity of your application using a digital signature, which is verified by the API server using the corresponding public key. This step is crucial for ensuring that only authorized clients can access the API.
The signed JWT generated here will automatically be used in Step 2: Generate cURL Command for Token Request to obtain an access token. You don't need to manually enter this value again—it will be included in the request when you proceed to the next step
Step 2. Generate cURL Command for Token Request
In this step, you will generate a cURL command to request an access token from the API server. cURL is a command-line tool used to transfer data to and from servers using various protocols, including HTTP. Here, the cURL command will be used to send an HTTP POST request to the API's token endpoint. This request includes your signed JWT (Client Assertion), API key, and desired scopes. The API server will validate your credentials and, if successful, return an access token. This token is essential for authenticating further API requests, including those in Step 4: Generate cURL Command for Payload Request. By using the access token obtained here, you can securely interact with the API to submit signed and encrypted payloads.
Step 3. Payload Signing and Encryption
In this step, you will sign and encrypt the payload that you want to send to the API. Signing the payload ensures its integrity and authenticity, allowing the API server to verify that the data has not been altered during transmission and that it comes from an authorized source. Encryption adds an additional layer of security by ensuring that only the intended recipient (the API server) can read the contents of the payload. This is especially important when transmitting sensitive information. The signed and encrypted payload generated here will be used in Step 4: Generate cURL Command for Payload Request to securely send your data to the API.
(The signed and encrypted payload generated here will automatically be used in Step 4: Generate cURL Command for Payload Request to send data securely to the API. You don't need to manually input this value—it will be included in the request when you proceed to the next step.)
Step 4. Generate cURL Command for Payload Request
In this step, you will generate a cURL command that sends your signed and encrypted payload to the API. This cURL command is an HTTP POST request that includes the access token obtained in Step 2 and the signed and encrypted payload created in Step 3. The purpose of this request is to securely transmit data to the API server, ensuring that only authorized users can submit information and that the data remains private during transmission.
Step 5. Retrieve Transaction Status
In this step, you will generate a cURL command to retrieve the status of a specific transaction. This cURL command sends an HTTP GET request to the API, using the Bearer Token and Transaction Identification. By retrieving the transaction status, you can verify the outcome of your request and ensure that your operations are proceeding as expected. When pasting your API End Point leave {transaction_identification} in the URL. We will populate this with the transaction ID when creating the cURL.
(If using Payto you will need to obtain the mandateID from the Mandate outcome webhook notification)