As discussed above, communication between Onafriq and the Partner's systems passes through a secure point-to-point connection. In addition, we make use of the following security features:

Network Security

The network integration between the Partner and Onafriq is secured by:
• Network communication over 128 bit SSL/TLS encryption
• Network communication occurs over VPN with restricted IP address sources and ports

Service URLs

• Testing URLs will be provided at the start of testing the service.
• Production URL will be shared upon successful UAT.

Message Level Security

The Payouts APIs implement message-level security. Partners are required to sign each request by including a digital signature, the mfsSign in their request, as described below.

The mfsSign varies depending on the API method being called.

The mfsSign value is concatenated into a single string. A unique key will be issued by Onafriq to the partner for each test and live credential, which must be used for the digital signature.

The input fields that compose the input string for the digital signature vary for each service. See the individual API sections for the input fields required for each API.

In case there is an amount in the field list, the amount format is (#.##) for two decimals only. Include zeroes if there are no decimals, i.e. present any amount as two decimals e.g. 10.00.

Concatenate the input into a single string and has using the SHA-256 algorithm.

The output hash is the mfsSign that the partner needs to pass in the request.

Message level security is handled via an authorization key. This key is required in the header Section and is created as follows:

  • Key = SHA256 (corporateCode+passCode+timestamp)
  • CorporateCode = Defined in Corporate Table
  • Password = Defined in Corporate Table
  • Timestamp = should match the defined timestamp in header section in format (yyyy-mm-dd hh:mm:ss)


MfsSign is Per API

Each API defined the fields that you need to concatenate to create the mfsSign signature. See the relevant "Message Level Security" section of each API.

What’s Next