DocumentationRecipesAPI ReferenceChangelog
Documentation
Start typing to search…

Overview

Our SNAP API offer a set of APIs that provide the ability to integrate with 2C2P securely and compliant.

You can use the POST method to send HTTPS requests and receive responses accordingly.


Follow the steps to begin to integrate with our SNAP API


Step 1 : Generate your RSA key and exchange keys

  1. Download the 2C2P Public Key from the 2C2P Merchant Portal: Go to Account > Options > 2C2P Public Keys
  2. Secure a pair of public and private keys. (For a guide to generating keys, referhere). Please make sure the uploaded public key is inx509 format
  3. Merchants must then upload the generated public key to the 2C2P Merchant Portal: Log in and go to Account > Options > Merchant Public Keys. Add the public key and set it as default.

Note: Do ensure that the public key uploaded to 2C2P Merchant Portal has the key ID snap.



Step 2 : Understand Message Structure

HTTPS method

POST method is being used in 2C2P SNAP API.


Header

The request header mainly contains the following fields

Note: Field names are case-insensitive.

Header FieldRequiredCode Sample
X-TIMESTAMPYes2025-08-16T00:00:46+08:00
X-CLIENT-KEYYes{YOUR_MERCHANT_ID}
X-SIGNATUREYesf6Cw095brnBF+mL589uxWUnKDc.....P0Tni4YRbH9tYFH6CvNQ==
X-PARTNER-IDYes{YOUR_MERCHANT_ID}
AuthorizationYesBearer {Token}
Content-TypeNoapplication/json

For details of each header field, please see the following descriptions:

X-TIMESTAMP

X-TIMESTAMP specifies the timestamp of when the request is sent. Please see the following format of this field

{year}-${month}-${day}T${hours}:${minutes}:${seconds}${+, -}${offsetHours}:${offsetMinutes}


X-CLIENT-KEY

This parameter is only used in OAuth API

X-CLIENT-KEY is used to identify the merchant. This is given to you during merchant onboarding.


X-SIGNATURE

X-SIGNATURE contains the signature value of this request. Please see below for details about how to generate a signature.

The syntax of generating the signature is as follows:

signature=base64Encode(sha256withRSA( {content}, {YOUR_PRIVATE_KEY} ))

  • signature: the generated signature string
  • base64Encode: the method to encode the generated digital signature.
  • sha256withrsa: the method to generate a digital signature for the provided content.
  • content : {YOUR_MERCHANT_ID}|{X-TIMESTAMP}

For OAuth, the content to be signed will be {YOUR_MERCHANT_ID}|{X-TIMESTAMP}

For Other API, the content to be signed will be the request body

Sample: 70270200000000|2025-08-16T00:00:46+08:00

  • private key : the private key value

The following code sample shows how to generate the signature:

using System;
using System.Security.Cryptography;
using System.Text;

class SignatureSampleCode
{
    public static string Sign(string merchantId, string xtimestamp, string merchantPrivateKey)
    {
        string content = $"{merchantId}|{xtimestamp}";

        using RSA rsa = RSA.Create();
        rsa.ImportFromPem(merchantPrivateKey);

        byte[] dataBytes = Encoding.UTF8.GetBytes(data);
        byte[] signedBytes = rsa.SignData(dataBytes, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

        return Convert.ToBase64String(signedBytes);
    }

    static void Main()
    {
        string MERCHANT_ID = "";
        string MERCHANT_PRIVATE_KEY = ""; 

        Console.WriteLine(Sign(MERCHANT_ID, "2025-08-16T00:00:46+08:00", MERCHANT_PRIVATE_KEY));
    }
}

const crypto = require("crypto");

/**
 * Signs merchantId|timestamp using SHA256withRSA
 * @param {string} merchantId
 * @param {string} xtimestamp
 * @param {string} merchantPrivateKey your private key
 * @returns {string} Base64 signature
 */
function sign(merchantId, xtimestamp, merchantPrivateKey) {
    const content = `${merchantId}|${xtimestamp}`;

    // Sign data
    const signature = crypto.sign("sha256", Buffer.from(data, "utf8"), {
        key: privateKeyPem,
        padding: crypto.constants.RSA_PKCS1_PADDING
    });

    // Return Base64 signature
    return signature.toString("base64");
}

// Example usage
const MERCHANT_ID = "";
const MERCHANT_PRIVATE_KEY = "";

console.log(sign(MERCHANT_ID, "2025-08-16T00:00:46+08:00", MERCHANT_PRIVATE_KEY));

import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;

public class SignatureSampleCode {

    /**
     * your private key, used to sign
     */
    private static final String MERCHANT_PRIVATE_KEY = "";

    /**
     * you merchantId
     */
    private static final String MERCHANT_ID = "";

    /**
     * @param merchantId    your merchantId
     * @param xtimestamp timestamp value, sample: 2025-08-16T00:00:46+08:00
     * @param merchant_private_key  your private key
     * @return
     */
    public static String sign(String merchantId, String xtimestamp, String merchant_private_key) {
        
        // content_to_be_signed
        String content = merchantId + "|" + xtimestamp;

        try {
            // sha256withRSA
            java.security.Signature signature = java.security.Signature.getInstance("SHA256withRSA");

            // privateKey
            PrivateKey priKey = KeyFactory.getInstance("RSA").generatePrivate(
                    new PKCS8EncodedKeySpec(Base64.getDecoder().decode(merchant_private_key.getBytes(StandardCharsets.UTF_8))));

            signature.initSign(priKey);
            signature.update(contentToBeSigned.getBytes(StandardCharsets.UTF_8));

            // sign
            byte[] signed = signature.sign();

            // base64Encode
            String base64EncodedSignature = new String(Base64.getEncoder().encode(signed), StandardCharsets.UTF_8);

            // urlEncode
            return base64EncodedSignature;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static void main(String[] args) {
        System.out.println(sign( MERCHANT_ID, "2025-08-16T00:00:46+08:00", MERCHANT_PRIVATE_KEY));
    }

}

X-PARTNER-ID

This parameter is only used in all APIs except for OAuth. For OAuth request, please use X-CLIENT-KEY

X-PARTNER-ID is used to identify the merchant. This is given to you during merchant onboarding.


Authorization

This header field is only required for subsequent request after calling SNAP OAuth API

It is not required when retrieving access token.

Value: Bearer {access token}


Body

Fields enclosed in the request body section vary depending on services. For more information, see instructions on the specific API specification.


Step 3 : Making your first API call

Environment

EnvironmentBase URL
Sandboxhttps://sandbox-pgw.2c2p.com
Productionhttps://pgw.2c2p.com

For more information on for each API, see instructions on the specific API specification.

Updated 3 minutes ago