To ensure the confidentiality and secrecy of the client credentials, OVO expects its OpenAPI partners to follow below mentioned SOP to receive the client credentials from OVO.
| No | Partner | Purpose |
|---|---|---|
| 1 | Registration Credential in Staging Requirement :
| Registering partner in OVO BE staging environment |
| 2 | UI/UX Review Requirement : Provide Mockup journey UI/UX |
Review the mockup/ UI/UX journey |
| 3 | BI Submission Testing : - Devsite Testing, - Functionality Testing |
Partner do testing for BI requirement |
| 4 | UAT Testing Requirement : Share APK/IPA/Web URL for UAT |
Do the UAT for each partner platforms |
| 5 | Review UAT | UAT result will be documentation and review by OVO Approver |
| 6 | Registration Credential in Production Requirement :
| Registering partner in OVO Side (production) |
To ensure the confidentiality and secrecy of the client credentials, OVO expects its OpenAPI partners to follow below mentioned SOP to receive the client credentials from OVO.
| Step | Responsibility |
|---|---|
| Partner needs to share their public key in .pem format with OVO PIS Team |
Partner OVO PIS Team |
| OVO to generate client credentials. | OVO |
| OVO to generate and share the encrypted .enc files to partner. | OVO |
| Partner needs to decrypt the .enc file to extract the client credentials. | Partner |
These versions or later are recommended for generating and decrypting credentials
| Program | Version |
|---|---|
| OpenSSL (often in Windows) | 1.1.0 or later (2016) |
| LibreSSL (often in MacOS) | 2.9.1 or later (2018) |
openssl genrsa -des3 -out id_rsa.pem 2048
openssl rsa -in id_rsa.pem -outform PEM -pubout -out id_rsa.pub.pem
If merchants have it in rsa format (e.g., they use it for ssh), then have them do:
openssl rsa -in id_rsa -outform pem > id_rsa.pem
openssl rsa -in id_rsa -pubout -outform pem > id_rsa.pub.pem
Partner need to send id_rsa.pub.pem to OVO
OVO will share the .enc files to the partner. Partner can execute below mentioned commands to decrypt the .enc file and extract the client credentials.
openssl rsautl -decrypt -inkey id_rsa.pem -in key.bin.enc -out key.bin
openssl enc -d -aes-256-cbc -in cred_file.enc -out cred_file.txt -pass file:./key.bin -md
sha256
For signature generation related to SNAP Open API integration, merchant need to provide the additional public key with PKCS1 format. Below is the step how to generate the public key with PKCS1 format:
openssl genrsa -out private.pem 4096
openssl genrsa -traditional -out private.pem 4096
openssl rsa -in private.pem -RSAPublicKey_out -out public.pem
For the sake of smoothness during UAT later, merchants should provide a UI/UX Mockup that OVO team can review in the beginning of integration process. Please find below for the several points that need to be provide in the UI/UX:
In the linkage flow, Partner must called LOOKUP API in the beginning of Linkage (this is Mandatory) then partner will get the account_status from ovo. Partner must aware that there will be 2 conditions that the Linkage is not allowed :
If partner get one of above account status, Partner must showing the specific error message on the Partner Apps.
After get the account status from Lookup API and the status is ACTIVE or ACTIVE_NO_PIN, then partner can continue to call the Activation API
Partner need to showing the specific message in the partner platform whether the Linkage Process is success or not . The aim is to make sure the customer is aware that their OVO account already linkage in to partner platform. For example Partner can show the message through the Pop Up message or the individual screen.
Partner can refer to these sample of how the other partner showing the success linkage message
Fig. 1
Success linkage notification use pop up message
Fig. 2
Success linkage notification use an individual page
When the linkage process is success, Partner need to show Customer OVO balance. Customer balance has to visible in the partner platforms when user do the payment and also it can be seen in the payment method page.
Partner can refer to these sample of how the other partner showing the OVO balance:
Fig. 3
Showing OVO Balance in the Payment Method Page
Fig. 4
Showing OVO Balance in the Checkout Page
There are two source of found for Payment API in OVO, which are OVO Cash and OVO Points. Partner can use points as default if there was mention in agreement (in this case please liaise with OVO business team). So that for the OVO Points usage it will need some adjustment in merchant side.
If Partner develop OVO Point as their payment method. Partner need to have 2 UI/UX for payment :
Partner can refer to these sample:
Fig. 5
Showing OVO Balance in that eligible using OVO Points
Fig. 6
Showing OVO Balance in that unable using OVO Points
Notes : For partner who integrate both one time payment and recurring (Auto Debt), partner need to redirect user to PIN Webview at their first payment of Auto Debt transactions.
For the Unlink process, partner can refer to the below journey, and need to showing that unlink success:
Fig. 7
Unlink account flow
Fig. 8
Unlink account success notification use pop up message
Fig. 9
Unlink account success notification use an individual page
Below is the unlink wording base on OVO compliance team, and partner have to showing the message while the unlink process.
Unlink OVO?
To use your remaining OVO Cash and OVO Points balance, you'll need to reactivate OVO in the [Partner’s Name] App or download OVO app for more functionalities such as P2P transfer and withdrawal to bank account.
Contact [email protected] for more information.
[No] [Unlink]
Memutus Tautan (Unlink) Akun OVO?
Untuk menggunakan saldo OVO Cash dan OVO Points, Anda harus mengaktifkan kembali Akun OVO Anda pada Aplikasi [Nama Partner] atau download Aplikasi OVO untuk menikmati fungsi-fungsi lainnya seperti transfer dan penarikan dana ke rekening bank.
Hubungi [email protected] atau 1500696 untuk informasi lebih lanjut.
[Tidak] [Putuskan Tautan]
For the unlink process, it will need the AccessToken as the authorization. However the AccessToken can be invalid, when:
For case number 2, usually user will not aware that their action on OVO Apps will impacted to their linkage in the partner side. When they open the partner Apps, they will found can’t neither perform payment or check their ovo balance. It happen because all the token store in Partner was invalid. In this case when user facing this issue they need perform unlink from partner platform. In partner side when called API Unlink with the invalid AccessToken , then OVO will response as below:
{
"error": {
"code": "OV00502",
"message": "Unauthorized access"
},
"responseCode": "401XX00",
"responseMessage": "General unauthorized error (No Interface Def, API is Invalid, Oauth Failed, Verify Client Secret File, Client Forbidden Access API, Unknown Client, Key not Found)"
}
If partner got the above error when called unlink API, please refer to handling token expired.
For expired token condition, please use below flow
User changes their phone number in the OVO apps, that will broke the AccessToken :
Fig. 10
User change their phone number in OVO Apps
For the Unlink process keep success in the front end:
Fig. 11
Meanwhile the unlink process keep success
Fig. 12
even though partner received the error in the backend
In the partner platforms, when user wants to checkout their transaction then they continue to the payment page , partner need to called Get User Account Balance first. It is intended to make our user aware of their OVO balance is insufficient and customer cannot continue the payment. In this case, partner need to :
Partner can refer to these sample of how the other partner inform to user that their balance is insufficient
Fig. 13
Showing warning message that indicate the OVO balance is not enough and also add the How to Top Up Button
Fig. 14
The OVO payment method button is turn into grey/disabled due to the insufficient OVO balance of customer
AccessToken will have specific time expired. Currently the AccessToken expiry is 15 days, if the AccessToken is expired then partner will get the error like below:
{
"error": {
"code": "OV00502",
"message": "Unauthorized access"
},
"responseCode": "401XXXX",
"responseMessage": "General unauthorized error (No Interface Def, API is Invalid, Oauth Failed, Verify Client Secret File, Client Forbidden Access API, Unknown Client, Key not Found)"
}
For UAT partner need to perform :
OVO suggest to Partner to hide the token/URL in the front end (in case partner also develop in Website/m-Website version)
Fig. 15
Page in the desktop
As partner additional info, below for the details of expiration for each token :