Dragonpay API Configurations
Customer Support: +63(2)-8655-6820 [email protected] Mon-Fri : 8am-6pm Sat–Sun : 9am-6pm
logo-black
Contact Us
FAQs
Partner sign up
Partner sign up

Dragonpay Security Upgrade: Transitioning to RSA-SHA256 for Payment Postbacks

Overview: Why This Upgrade is Important

At Dragonpay, the security of your transactions is our top priority. To maintain the highest standards of digital security, we are upgrading the digital signature algorithm used for our payment collection postbacks/webhooks from SHA-1 to RSA-SHA256.

What This Means For You:

  • Enhanced Security: This upgrade strengthens the cryptographic security of your transaction data, protecting against potential vulnerabilities.
  • Continued Integration: To ensure your Dragonpay payment collection postbacks and Collection API requests continue to function without interruption, you are required to update your secret keys.
  • Please note that SHA-1 will be officially deprecated by December 10, 2025. We urge you to complete this migration well in advance of this date.

Key Action: Regenerate Your Secret Keys

This process involves generating new keys within your Dragonpay AdminWeb portal and updating your system’s integration. We strongly recommend performing these steps in your UAT (User Acceptance Testing) environment first before making changes to your live production system.

Detailed Guide: How to Update Your Keys

Follow the steps below to successfully regenerate and deploy your new secret keys.

Step 1: Accessing the AdminWeb Portal

  1. Log in to the Dragonpay AdminWeb portal using your main sub user (where Merchant ID is equal to User ID).

Step 2: Navigating to Manage Secrets

  1. Once logged in, click on Admin located on the upper-right corner of the page.

From the dropdown menu, select Manage Secrets and then click Administer.

Part A: Regenerating Your SHA1 Key (for Collection API Requests)

 

  • Impact: This key is used for your Collection API requests. Regenerating it will require you to update your Collection API integration.
  • Steps:
    1. IMPORTANT: Before proceeding, copy your current SHA1 Key and save it somewhere secure. This serves as your contingency plan if you need to revert changes.
    2. Under the SHA1 section, click the Generate button.
    3. Copy the newly generated SHA1 Key.
    4. Prepare the necessary changes on your system to update your Collection API integration with this new SHA1 Key.
    5. Click the Save button on the AdminWeb portal.
    6. Deploy the changes on your side (update your system with the new key).
    7. Thoroughly test all relevant functionalities on your side to ensure a smooth transition
  • Contingency Plan: Revert to Previous SHA1 Key:
    1. Log in to AdminWeb (as per Step 1).
    2. Go to Admin > Manage Secrets > Administer (as per Step 2).
    3. Paste the previously saved SHA1 Key (from Part A, Step 1) into the SHA1 textbox..
    4. Revert the corresponding changes you made on your system.
    5. Click the Save button on the AdminWeb portal.

Part B: Regenerating Your HMAC-SHA256 Key (for Postback Verification)

  • Impact: This key is used to verify Dragonpay’s collection postback via the Signature field Collection API requests. Regenerating it will require you to update your Collection API integration.

  • Steps:
    1. IMPORTANT: Before proceeding, copy your current HMAC-SHA256 Key and save it somewhere secure. This serves as your contingency plan if you need to revert changes.
    2. Under the HMAC-SHA256 section, click the Generate button.
    3. Copy the newly generated HMAC-SHA256 Key.
    4. Prepare the necessary changes on your system to verify Dragonpay’s collection postback using this new HMAC-SHA256 Key.
    5. Click the Save button on the AdminWeb portal.
    6. Deploy the changes on your side (update your system with the new key).
    7. Thoroughly test all relevant functionalities on your side to ensure a smooth transition.
 
  • Contingency Plan: Revert to Previous HMAC-SHA256 Key

    1. Log in to AdminWeb (as per Step 1).
    2. Go to Admin > Manage Secrets > Administer (as per Step 2).
    3. Paste the previously saved HMAC-SHA256 Key (from Part B, Step 1) into the HMAC-SHA256 textbox.
    4. Revert the corresponding changes you made on your system.
    5. Click Save.

Important Reminders:

  • Test in UAT First: Always implement and test all changes in your UAT environment before applying them to your production system.
  • Secure Your Keys: Treat your new secret keys with the highest level of security. Do not share them publicly.
  • Deadline: Please complete this security upgrade by December 10, 2025, to avoid any disruption to your payment collection services.
 

Need Assistance?

We are here to support you through this transition. If you have any questions or encounter issues during the key regeneration process, please do not hesitate to contact our  Devops Support Team at [email protected]

 

Scroll to Top