User Rating 0.0 ★★★★★

Total Usage 0 times

Category Dev Generators

Timestamp (YYYYMMDDHHmmss)

14-digit UTC+7 timestamp

Merchant ID (iMid) Assigned by Nicepay

Reference No Unique merchant order reference

Amount (no decimals) Integer string, e.g. 10000

Merchant Key (mKey)

Secret key from Nicepay dashboard

Is this tool helpful?

Your feedback helps us improve.

★ ★ ★ ★ ★

About

Payment gateway API authentication relies on hash-based message verification. A malformed merchant token causes transaction rejection, failed refunds, or silent payment capture errors that surface only during reconciliation. This tool computes the SHA-256 digest of concatenated parameters - timeStamp, iMid, referenceNo, amt, and merchantKey - matching the Nicepay V2 specification. The hash is produced via the native Web Crypto API, not a polyfill. Parameter order is rigid: transposing iMid and referenceNo yields a completely different digest. This tool assumes UTC+7 (WIB) timestamp convention unless overridden. It does not validate whether your iMid is sandbox or production - that distinction is yours to track.

Formulas

The merchant token is a SHA-256 cryptographic hash of a concatenated input string. The concatenation order is fixed and must not be altered.

merchantToken = SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)

Where timeStamp = transaction timestamp in YYYYMMDDHHmmss format (14 digits), iMid = merchant ID assigned by Nicepay (e.g., IONPAYTEST), referenceNo = unique merchant order reference, amt = transaction amount as a string with no decimal separators (e.g., 10000), and merchantKey = secret key provided by Nicepay. The output is a 64-character lowercase hexadecimal string. The digest function maps an arbitrary-length input to a fixed 256-bit output. Changing a single character in any parameter produces a completely different hash due to the avalanche property of SHA-256.

Reference Data

API Operation	Token Formula	Required Parameters	HTTP Method	Endpoint Path
Registration	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/registration
Payment	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/payment
Cancel / Void	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/cancel
Inquiry (Check Status)	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/inquiry
Notification (Push)	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST (callback)	Your callback URL
VA Registration	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/registration
E-Wallet	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/registration
Payout	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/api/direct/v2/requestPayout
QRIS	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/registration
Convenience Store	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/registration
Credit Card 3DS	SHA256(timeStamp + iMid + referenceNo + amt + merchantKey)	timeStamp, iMid, referenceNo, amt, merchantKey	POST	/nicepay/direct/v2/registration

Frequently Asked Questions

The most common cause is whitespace contamination. Trailing spaces, newline characters, or invisible UTF-8 BOM marks in any parameter will alter the SHA-256 digest. Copy-pasting from spreadsheets or rich-text editors often introduces these. Trim all inputs. Additionally, verify that the amount field contains no decimal point or thousands separator - Nicepay expects an integer string (e.g., "10000" not "10,000" or '100.00').

Nicepay enforces a tolerance window (typically ±5 minutes) between the timestamp in your token and their server clock. If your system clock drifts beyond this window, the token will be rejected with a timestamp mismatch error. Use NTP-synchronized time. The format must be exactly 14 digits: YYYYMMDDHHmmss with no separators. The timezone convention is UTC+7 (WIB) unless your integration documentation specifies otherwise.

No. Each token is bound to the specific combination of timestamp, reference number, and amount. Reusing a token with different transaction parameters will fail validation. Even for the same amount and reference, the timestamp component will differ, producing a different hash. Generate a fresh token for every API call.

The token algorithm is identical. The difference lies entirely in the iMid and merchantKey values. Sandbox uses test credentials (e.g., iMid = 'IONPAYTEST') while production uses your assigned live credentials. A token generated with sandbox credentials will not authenticate against the production endpoint and vice versa. This tool does not distinguish between environments - it hashes whatever you provide.

Use the Nicepay sandbox environment. Submit a registration request with your generated token to their sandbox endpoint. If the response returns resultCd = "0000", the token is valid. Alternatively, you can cross-check by generating the same token using a different SHA-256 tool (e.g., openssl dgst -sha256) with the same concatenated input string. The hexadecimal outputs must match exactly.

For IDR (Indonesian Rupiah) transactions, the amount is always a whole number with no decimal places - e.g., "10000" for Rp 10,000. For currencies with subunits (USD, SGD), Nicepay may require the amount in the smallest unit (cents), so $100.50 becomes "10050". Check your specific Nicepay integration documentation for the currency handling rules applicable to your merchant configuration.