Automatic Key Exchange
When a merchant has initiated the Amazon Pay registration process, a URL should be available to receive an encrypted object containing the merchant’s credentials, after the completion of registration and setup. This URL is passed to Amazon Pay in the initiating post as the keyShareURL. When a merchant has finished the registration process, they will be prompted to transfer keys, and this triggers an HTTP POST to the keyShareURL. The encrypted credential payload will be passed via an HTTP POST payload parameter, and will be a JSON string. To see an example of the encrypted payload, see the Payload data structures section.
After receiving the encrypted payload, you need to follow the instructions in the How to decrypt credentials section to successfully decrypt the underlying merchant credentials.
keyShareURL functionality
There are two requirements for the response served by the keyShareURL back to Amazon. After processing the request, the response MUST:
- Properly set the following CORS headers:
- Access Control Allow Origin: https://payments.amazon.com
- Access Control Allow Methods: GET, POST
- Access Control Allow Headers: Content Type
- Respond to the keyShareURL request with the following:
- If processing the payload is successful:
- 200 http response
- JSON object in the body
{‘result’: ‘success’}
- If processing the payload is unsuccessful:
- 400 http response
- JSON object in the body
{‘result’: ‘error’, ‘message’: ‘explanation of error’}
For a working example, view our Magento plugin version of this code, available in Github.