Happy Business Starts Here

Zuora CORS REST example

Highlighted
Community Manager

Zuora CORS REST example

See Reply



Subscribe to Zuora System Updates at Zuora Trust
Follow Zuora Global Support on Twitter and LinkedIn

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Community Manager

Re: Zuora CORS REST example

Question or Problem Statement:

 I'm having trouble with the Zuora CORS REST call - can you provide a more specific example?

Solution:

Using the REST HMAC Signature request process explained in our Knowledge Center (below), we can request a signature and token for one-time use against creating an account. (I've blocked my tenant account information for security reasons)

 

Cors1.jpg

This produces the following response

{
  "signature" : "ZjNmNGU0NWM0MjcwYTM2MDgzMjgyYmZkNTBmZWZlZThiMGZmZjczYg==",
  "token" : "dvk43javEPTkwGC7i86Zhs5Ik3NH6AFi",
  "success" : true
}

 

We've effectively completed steps 1-4 on the CORS workflow diagram

Now we can sent a REST Create Account API call using the above signature and token to complete steps 5-6.

 

 

Which succeeds, producing the following response:

{
  "success" : true,
  "accountId" : "2c92c0fa4c74f9ff014c9559a6a2362e",
  "accountNumber" : "A00000005",
  "paymentMethodId" : "2c92c0fa4c74f9ff014c9559a97a3631"
}

 

 

Gotchas/Pitfalls:

  • It's important that both requests originate from the same location or server or the authentication will fail on the REST create call
  • The "name" field is required in the original signature/token request which will match the "name" field for the account being created.  For REST payment-method, it should be "accountKey"

Supporting References:



Subscribe to Zuora System Updates at Zuora Trust
Follow Zuora Global Support on Twitter and LinkedIn

View solution in original post

3 REPLIES 3
Highlighted
Community Manager

Re: Zuora CORS REST example

Question or Problem Statement:

 I'm having trouble with the Zuora CORS REST call - can you provide a more specific example?

Solution:

Using the REST HMAC Signature request process explained in our Knowledge Center (below), we can request a signature and token for one-time use against creating an account. (I've blocked my tenant account information for security reasons)

 

Cors1.jpg

This produces the following response

{
  "signature" : "ZjNmNGU0NWM0MjcwYTM2MDgzMjgyYmZkNTBmZWZlZThiMGZmZjczYg==",
  "token" : "dvk43javEPTkwGC7i86Zhs5Ik3NH6AFi",
  "success" : true
}

 

We've effectively completed steps 1-4 on the CORS workflow diagram

Now we can sent a REST Create Account API call using the above signature and token to complete steps 5-6.

 

 

Which succeeds, producing the following response:

{
  "success" : true,
  "accountId" : "2c92c0fa4c74f9ff014c9559a6a2362e",
  "accountNumber" : "A00000005",
  "paymentMethodId" : "2c92c0fa4c74f9ff014c9559a97a3631"
}

 

 

Gotchas/Pitfalls:

  • It's important that both requests originate from the same location or server or the authentication will fail on the REST create call
  • The "name" field is required in the original signature/token request which will match the "name" field for the account being created.  For REST payment-method, it should be "accountKey"

Supporting References:



Subscribe to Zuora System Updates at Zuora Trust
Follow Zuora Global Support on Twitter and LinkedIn

View solution in original post

Highlighted
Support SME

Re: Zuora CORS REST example

Please note the above example usually requires the Origin header as well.

 

The Origin header needs to be present and set to the same URL in both the HMAC and the succeeding POST call, e.g:

 

POST /rest/v1/hmac-signatures HTTP/1.1
Host: apisandbox-api.zuora.com
Content-Type: application/json
Authorization: Basic xxxxxx==
Origin: www.test.gov.uk
Cache-Control: no-cache
Postman-Token: xxx-e424-8a27-c289-xxx

{
  "uri": "https://apisandbox-api.zuora.com/rest/v1/payment-methods/credit-cards",
  "method": "POST",
  "accountKey": "2c92c0f85e1d50df015e338f66746b01"
}

{
  "signature" : "xxx==",
  "token" : "xxx",
  "success" : true
}

--------------------------

POST /rest/v1/payment-methods/credit-cards HTTP/1.1
Host: apisandbox-api.zuora.com
Signature: xxx==
Token: xxx
Content-Type: application/json
Origin: www.test.gov.uk
Cache-Control: no-cache
Postman-Token: xxx-b669-9415-bba4-xxx

{"defaultPaymentMethod": true,
"cardHolderInfo":
  {"addressLine1": "77 Fallon Glen",
   "addressLine2": "",
   "zipCode": "94020",
   "state": "California",
   "phone": "4155551234",
   "country": "USA",
   "cardHolderName": "Bill Thiebault",
   "city": "Fremont",
   "email": "bill@testaddress.com"},
"expirationMonth": "10",
"accountKey": "2c92c0f85e1d50df015e338f66746b01",
"creditCardType": "Visa",
"expirationYear": "2019",
"creditCardNumber": "4111111111111111",
"securityCode": "123"
}

{
    "success": true,
    "paymentMethodId": "2c92c0fa5e1d50a5015e383343db745a"
}


If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √

Highlighted
Support SME

Re: Zuora CORS REST example

Please also note that some REST solutions tend to append "Params" after the endpoint defined in the POST, e.g. POST https://apisandbox-api.zuora.com/rest/v1/accounts?%24format=json

 

Since the "Signature" generated by the HMAC call is specific to the uri defined in that call, and the appended "param" makes this a completely different URL, the generated Signature won't work for your 2nd call in this scenario. You need to make sure the uri defined in the HMAC call's body is exactly the same as the POST endpoint of the followup call.

 

If you need to, it IS possible to work with the appended "Params", you just need to generate the HMAC token/signature pair for the uri that includes the full URL including the Param.



If you found my answer helpful, please give me a kudo ↑
Help others find answers faster by accepting my post as a solution √