Protect with a library

Use an Adyen GitHub library to protect local communications between your POS app and terminal.

If your integration uses local communications, you need to protect your integration against man-in-the-middle attacks, eavesdropping, and tampering. To help you with this, we provide GitHub libraries that:

Validate the terminal certificate, to confirm your POS app is communicating directly with an Adyen-supplied payment terminal.
Encrypt communications. This prevents intruders from reading the messages transmitted between the POS app and the terminal.

The available libraries are:

These GitHub libraries work with Terminal API and are completely separate from the classic libraries, which are being deprecated.

Select a tab below for the Adyen GitHub library you want to use.

Before you begin

Make sure you have:

Use the .NET library

In your C# project, create a Config object specifying:

The URL of the terminal.
The environment: Test or Live.
Your merchant account.

Config config = new Config
    {
        Endpoint = "https://TerminalApiEndpoint:8443/nexo/",
        Environment = Model.Enum.Environment.Test,
        MerchantAccount = "YOUR_MERCHANT_ACCOUNT"
    };

Create a Client object using the Config object created in the previous step.
```
Client client = new Client(config);
```

Create the PosPaymentLocalApi service using the client created in the previous step.

Service.PosPaymentLocalApi posPaymentLocalApi = new Service.PosPaymentLocalApi(client);

Create an EncryptionCredentialDetails object specifying the identifier, passphrase, and version of your shared key.

EncryptionCredentialDetails encryptionCredentialDetails = new EncryptionCredentialDetails
    {
        AdyenCryptoVersion = 1,
        KeyIdentifier = "KEY_IDENTIFIER",
        Password = "KEY_PASSPHRASE",
        KeyVersion = 1
    };

When you send a Terminal API request to the payment terminal, use the PosPaymentLocalApi service specifying a SaleToPOIRequest object and the EncryptionCredentialDetails object.
```
SaleToPOIResponse response = posPaymentLocalApi.TerminalApiLocal(saleToPOIRequest, encryptionCredentialDetails);
```

The iOS library supports deriving the encryption key and encrypting and decrypting communications.

Before you begin

Make sure you have:
- Installed our iOS library (TerminalAPIKit) in your project.
- Installed Adyen's root certificate.
- Set up a shared key.

Derive the encryption key

To derive the key used for encrypting and decrypting local communications between the terminal and your POS app:

Make sure you know the identifier, passphrase, and version of the shared key that you set up in the Customer Area.

Derive the key, making sure to pass the values in string form exactly as they appear in the Customer Area.

let encryptionKey = try EncryptionKey(
    identifier: "KEY_IDENTIFIER",
    passphrase: "KEY_PASSPHRASE",
    version: KEY_VERSION
)

Once the key is derived, you are ready to encrypt your local communications.

Encrypt and decrypt communications

Create your request. For example, create a Message<PaymentRequest>.

Encrypt your request.

let encryptionKey: EncryptionKey = // the key you derived earlier
let request: Message<PaymentRequest> = // the payment request you created
let encryptedMessage: Data = try request.encrypt(using: encryptionKey)

Send the encryptedMessage to the terminal.

When you receive the response from the terminal, decrypt the response.

let key: EncryptionKey = // the key you derived earlier
let response: Data = // the response you receive from the terminal
let encryptedMessage: EncryptedMessage = try Coder.decode(EncryptedMessage.self, from: response)
let decryptedMessage: Message<PaymentResponse> = try decrypt(PaymentResponse.self, using: key)

Before you begin

Make sure you have:

Use the Java library

In your Java project, create a Config object, specifying:

Your merchant account.
The path to Adyen's root certificate.
The URL of the terminal without the :8443/nexo part.

Config config = new Config();
config.setMerchantAccount("Your merchant account");
config.setTerminalCertificate("Local path to the Adyen root certificate");
config.setTerminalApiLocalEndpoint("URL of the terminal, for example https://192.168.68.117, WITHOUT the port/nexo part :8443/nexo/");

Create a Client object using the Config object created in the previous step, and setting the environment to TEST or LIVE.

Client terminalLocalAPIClient = new Client(config);
terminalLocalAPIClient.setEnvironment(Environment.TEST, null);

Create the TerminalLocalAPI service using the client created in the previous step.

TerminalLocalAPI terminalLocalAPI = new TerminalLocalAPI(terminalLocalAPIClient);

Create a SecurityKey object specifying the identifier, passphrase, and version of your shared key.

SecurityKey securityKey = new SecurityKey();
securityKey.setAdyenCryptoVersion(1);
securityKey.setKeyIdentifier("Key identifier");
securityKey.setPassphrase("Key passphrase");
securityKey.setKeyVersion(1);

When you send a Terminal API request to the payment terminal, use the TerminalLocalAPI service specifying a TerminalApiRequest object and the SecurityKey object.
```
TerminalAPIResponse terminalAPIResponse = terminalLocalAPI.request(terminalApiRequest, securityKey);
```

Before you begin

Make sure you have:

Use the Node library

In your Node project, create a Config object, specifying:

Your merchant account.
The path to Adyen's root certificate.
The URL of the terminal without the :8443/nexo part.

const config: Config = new Config();
config.merchantAccount = "Your merchant account";
config.certificatePath = "Local path to the Adyen root certificate";
config.terminalApiLocalEndpoint = "URL of the terminal, for example https://192.168.68.117, WITHOUT the port/nexo part :8443/nexo/";

Create a Client object using the config object created in the previous step, and setting the environment to TEST or LIVE.
```
const client = new Client({ config });
client.setEnvironment("TEST");
```
Create the TerminalLocalAPI service using the client created in the previous step.
```
const terminalLocalAPI = new TerminalLocalAPI(client);
```

Create a SecurityKey object specifying the identifier, passphrase, and version of your shared key.

const securityKey: SecurityKey = {
    adyenCryptoVersion: 1,
    keyIdentifier:"Key identifier",
    keyVersion: 1,
    passphrase: "Key passphrase",
};

When you send a Terminal API request to the payment terminal, use the TerminalLocalAPI service specifying a TerminalApiRequest object and the SecurityKey object.
```
const terminalApiResponse: TerminalApiResponse =
 await terminalLocalAPI.request(terminalAPIPaymentRequest, securityKey);
```

The library will:

Serialize the request object to JSON and then encrypt and sign the request.
Send the request and receive the response.
Decrypt and deserialize the response and pass the content to the response object.

Troubleshooting

Crypto errors and SSL connection errors indicate a problem with the protection of the local communications.

Crypto errors

Example:

Exception: System.Net.WebException: The remote server returned an error: (401) Unauthorized.

The response body contains:

{
   "errors":[
      "Nexo Service: crypto error (9)"
   ],
   "ServiceID":"1234567890"
}

Cause: Crypto errors are related to the shared key. After you set up the shared key in your Customer Area, the shared key values in your code must match the shared key values in the Customer Area.

If you are using a library, check the values for the relevant object:

With the .NET library, check the EncryptionCredentialDetails object.
With the Java library, check theSecurityKey object.
With the Node library, check the SecurityKey object.

If you are using your own code:

Check the key derivation function. This uses the passphrase of the shared key.
Check the security trailer function. This uses the version and the identifier of the shared key.

Crypto error	Cause
crypto error (1)	There is a problem with parsing the request. This can be due to a syntax error.
crypto error (2)	The version number of the shared key in your code is unknown.
crypto error (3)	There is a problem with the message header of the request.
crypto error (4)	There is a problem with the body of the request.
crypto error (5)	There is a problem with the security trailer of the encrypted message. The trailer uses the version and identifier of the shared key.
crypto error (6)	There is a problem with the passphrase of the shared key.
crypto error (7)	The nonce is missing or incorrect. The nonce must have a length of 16 bytes.
crypto error (8)	The HMAC key is missing or incorrect. The HMAC key must have a length of 32 bytes.
crypto error (9)	The shared key details in your code don't match the shared key that is set up in your Customer Area.

SSL connection error

Example:

Exception : System.Net.WebException: The SSL connection could not be established

Possible cause: Adyen's root certificate is not installed correctly.

Protect with a library

Before you begin

Use the .NET library

Before you begin

Derive the encryption key

Encrypt and decrypt communications

Before you begin

Use the Java library

Before you begin

Use the Node library

Troubleshooting

Crypto errors

SSL connection error

See also