Integration steps
Get in touch
Sign in
Integration steps
Step-by-step instructions for the technical integration of the chargeback alert system

Chargeback API conforms to REST design principles, featuring resource-oriented URLs, JSON-encoded request and response bodies, standard HTTP response codes, and authentication protocols.

When integrating Chargebackhit, consider the total response time for your requests. This includes network latency, data enrichment from third-party servers, and the matching process to apply your rules and configurations.

SLA response times are under 2 seconds for inquiry, less than 24 hours for init-refund according to rules, and not critical for all other alert types.

To start the integration process, receive an email invitation with credentials for accessing the Chargebackhit HUB . It is recommended that the account holder handle steps 1-2, and the developer handle steps 3–6.

Step 1. Get API credentials

To get API credentials


  1. Log in to the Chargebackhit HUB .
  2. Go to Account settings.
  3. In the API keys section, get your Public and Secret API keys.

Step 2. Set notification URL

To set a notification URL


  1. Prepare a notification URL for both the sandbox and production environments.
  2. Log in to the Chargebackhit HUB .
  3. Go to Account settings.
  4. In the Notification URL section, specify your URL.
You can modify the notification URL within the Account settings section of the web portal when required.

Step 3. Create signature

Generate a digital signature using the SHA-512 hash function encoded in base64. This signature uses the concatenation of the public key, JSON-encoded request data, and the public key again as input.

public_key + requestJsonData + public_key
1
2
3
4
function generateSignature(string $jsonEncodedBody, string $secretKey, string $publicKey): string
{
    return base64_encode(hash_hmac('sha512', $publicKey . $jsonEncodedBody . $publicKey, $secretKey));
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
import (
    "crypto/hmac"
    "crypto/sha512"
    "encoding/base64"
    "encoding/hex"
)

func GenerateSignature(jsonString, publicKey, secretKey string) string {
    payloadData := publicKey + jsonString + publicKey
    keyForSign := []byte(secretKey)
    h := hmac.New(sha512.New, keyForSign)
    h.Write([]byte(payloadData))
    return base64.StdEncoding.EncodeToString([]byte(hex.EncodeToString(h.Sum(nil))))
}
1
2
3
4
5
6
7
8
import base64
import hashlib
import hmac

def generate_signature(data: str, public_key: str, secrey_key: str) -> str:
    encrypto_data = (public_key + data + public_key).encode('utf-8')
    sign = hmac.new(secrey_key.encode('utf-8'), encrypto_data, hashlib.sha512).hexdigest()
    return base64.b64encode(sign.encode('utf-8')).decode('utf-8')
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import java.util.*
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec

private const val HMAC_SHA512 = "HmacSHA512"

fun generateSignature(jsonString: String, publicKey: String, secretKey: String): String {
    val hmac = hmac(publicKey + jsonString + publicKey, secretKey)

    return base64encode(hmac)
}

private fun base64encode(data: ByteArray): String {
    return Base64.getUrlEncoder().encodeToString(data.toHexString().toByteArray())
}
  
fun ByteArray.toHexString() = joinToString("") { "%02x".format(it) }

private fun hmac(data: String, key: String): ByteArray {
    val sks = SecretKeySpec(key.toByteArray(), HMAC_SHA512)
    val mac = Mac.getInstance(HMAC_SHA512)
    mac.init(sks)
   
    return mac.doFinal(data.toByteArray())
}
1
2
3
4
5
6
7
const CryptoJS = require("crypto-js");

function generateSignature(publicKey, secretKey, data) {
  var hashed = CryptoJS.HmacSHA512(publicKey + data + publicKey, secretKey);

  return Buffer.from(hashed.toString()).toString('base64')
}

Step 4. Verify signature

Verify the integrity and authenticity of notifications using the public and secret keys to calculate the signature. Headers of each request are to be placed in the following:

Parameter Description Example
signature Signature of the request allows verifying whether the request is genuine. MjNiYjVjxxxZhYmMxMzNiZDY=
public_key Unique identification, which is shared at the moment of registration along with the Private Key. Account

Step 5. Generate sandbox alerts

Initially configure and test the integration using sandbox alerts, which can be manually generated in the sandbox account under the alerts section.

Step 6. Match alerts

Match alerts to the corresponding transactions in the merchant’s database or CRM system using an appropriate matching algorithm.

It is a straightforward process, but in some cases, it is needed to apply Guide
Internal logic for quick matching of alert data by the system in real-time.
specific matching
algorithm.


Looking for help? Contact us
Stay informed with Changelog