5. Authorization

When communicating over HTTP using Beckn APIs, the subscribers need to authenticate themselves to perform transactions with other subscribers. Due to the commercial nature of the transactions, every request/callback pair is considered to be a "contract" between two parties. Therefore, it is imperative that all requests and callbacks are digitally signed by the sender and subsequently verified by the receiver.

Below document describes a way for network subscribers (BAP/BPPs) and proxy subscribers (BGs) to simultaneously add authentication and message integrity to HTTP messages by using digital signatures.

https://docs.google.com/document/d/1Iw_x-6mtfoMh0KJwL4sqQYM0kD17MLxiMCUOZDBerBo/edit?usp=sharing

Here is a document to help you with the requirements and understanding the Auth Header Signing and Verification process and utilities available for the same.

https://docs.google.com/document/d/1-xECuAHxzpfF8FEZw9iN3vT7D3i6yDDB1u2dEApAjPA/edit?usp=sharing

Signing and Verification Utilities: This utility will help you generate key pairs, create/verify authorization headers.

https://github.com/ONDC-Official/reference-implementations/tree/main/utilities/signing_and_verification

https://github.com/ONDC-Official/reference-implementations/tree/main/utilities/ondc-crypto-utility-master

Tech Guides

5. Authorization

Related content