Apple Pay for the Web Merchant Validation

Has anyone found documentation on actually performing the Merchant Validation step? A signed request to the validationURL in the onvalidatemerchant event gives me an error message requesting a valid JSON object. Passing a valid JSON object responds with

{
  "statusMessage": "Payment Services Exception Invalid session request -- missing merchant identifier",
  "statusCode": "400"
}

Unfortunately, all of the obvious key names for merchant identifier are failing me(id, merchant, merchant_id, merchant_identifier). As far as I can tell there, isn't any documentation surrounding this step.

Answered by jarretth in 150042022

Finally figured it out!

"merchantIdentifier" is the correct field name, and there are 2 more required, "domainName" and "displayName". The trick here is that "merchantIdentifier" is actually OID 1.2.840.113635.100.6.32 in the identity certificate(View the certificate in Keychain for an easy way to find this), and "displayName" is your plaintext name.

{
    "merchantIdentifier":"F3[...]4B",
    "domainName":"[verified domain]",
    "displayName":"merchant.[...]"
}

IE:

curl --data '{"merchantIdentifier":"F3[...]4B", "domainName":"[verified domain]", "displayName":"merchant.[...]"}' --cert ./<certFile>:<certPassword>  <validationURL>


And a session token is yours!

Tried

merchantIdentifier

?

Hi I also work on this , I didn't find any doc or info for performValidation method. Can you please give us some sample code of this method.Thx.

Accepted Answer

Finally figured it out!

"merchantIdentifier" is the correct field name, and there are 2 more required, "domainName" and "displayName". The trick here is that "merchantIdentifier" is actually OID 1.2.840.113635.100.6.32 in the identity certificate(View the certificate in Keychain for an easy way to find this), and "displayName" is your plaintext name.

{
    "merchantIdentifier":"F3[...]4B",
    "domainName":"[verified domain]",
    "displayName":"merchant.[...]"
}

IE:

curl --data '{"merchantIdentifier":"F3[...]4B", "domainName":"[verified domain]", "displayName":"merchant.[...]"}' --cert ./<certFile>:<certPassword>  <validationURL>


And a session token is yours!

Hi, could you please share somethin about how your "performValidation" functions looks like?

try this to get you started


function performValidation(valURL) {
  return new Promise(function(resolve, reject) {
    var xhr = new XMLHttpRequest();
    xhr.onload = function() {
          var data = JSON.parse(this.responseText);
          resolve(data);
    };
    xhr.onerror = reject;
    xhr.open('GET', 'apple_pay_do.php?u=' + valURL);
    xhr.send();
  });
}


and in apple_pay_do.php


$validation_url = $_GET['u'];


// create a new cURL resource
$ch = curl_init();


$data = '{"merchantIdentifier":"97....B0", "domainName":"your domain name", "displayName":"your display name"}';


curl_setopt($ch, CURLOPT_URL, $validation_url);
curl_setopt($ch, CURLOPT_SSLCERT, PRODUCTION_CERTIFICATE_PATH);
curl_setopt($ch, CURLOPT_SSLKEY, PRODUCTION_CERTIFICATE_KEY);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);


if(curl_exec($ch) === false)
{
    echo 'Curl error: ' . curl_error($ch);
}


// close cURL resource, and free up system resources
curl_close($ch);


This has got me as far as getting the merchant session identifier and nonce back from apple, and a successful "Pay with touch id" section in the applepay sheet in mobile safari.

Hi,

Calling the validationURL (to start session) gives me 404 - page not found. How did you manage to get this nice error message 😀

the merchant validation service seems to be offline at the moment, since around Friday (was working fine for me before then). Currently getting Http/1.1 Service Unavailable

Can I ask roughly what certificate you provided in that curl command, e.g. which stage in setup did it come from. I've exported various certs and tested a similar command from my webserver but to no avail:


$ cat fish.post
{"merchantIdentifier":"B7...D8","domainName:"www.***","displayName":"merchant.com.xxxxxxxxx"}
$ curl -k -X POST -d @fish.post --cert ~/applepaycerts/my.pem https://apple-pay-gateway-cert.apple.com/paymentservices/startSession


My current error is:


curl: (35) error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca


Thanks,


Paul

Scratch that it was the key/cert combination I thought it was but I noticed in keychain that my copy was marked as "invalid" and I had to regenerate.

It looks like it is still offline... I am currently getting HTTP/1.1 500 Internal Server Error

It's working ok for me today (and yesterday)

SIlly question but,

the value of your merchantIdentifier, you said you can view this in keychain, is it the value of the data field under the extention 1.2.840.113635.100.6.32?

Extention (1.2.840.113635.100.6.32)

Critical: NO

Data: 06...8F

The merchantIdentifier format shown in the online guide is working OK now, no need to hunt for the ID in the certificate any more


{ "merchantIdentifier":"merchant.com.example.mystore", "domainName":"mystore.example.com", "displayName":"MyStore" }

thanks! That works great.


I was also incorrectly adding in my https:// to my domain name.

Hi ,


I am trying to do merchant validation and getting beow error.

Please help .

If any one have standlone file to connect apple server using https post.

Pease share ...


javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure


Apple Pay for the Web Merchant Validation
 
 
Q