ONDC Buyer App Util API'sVersion 1.0.0

Relay Server Setup (Node.js + Express)

Below is a sample implementation of a relay server using Express.js. This relay forwards requests to the BAP APIs with the required authentication header (X-API-KEY).

import express from "express"

const app = express()
const port = 3000
const bapRelayBase = "{{base_url}}/catalogue"
const API_KEY = "API_KEY"

app.use(express.json())

app.use("/:action", async (req, res) => {
  const relayRes = await fetch(`${bapRelayBase}/${req.params.action}`, {
    method: req.method,
    headers: {
      "Content-Type": "application/json",
      "X-API-KEY": API_KEY,
    },
    body: JSON.stringify(req.body),
  })

  if (relayRes.headers.get("content-type") === "application/json") {
    const relayJson = await relayRes.json()
    res.status(relayRes.status).json(relayJson)
    return
  } else {
    const relayText = await relayRes.text()
    res.status(relayRes.status).send(relayText)
    return
  }
})

app.listen(port, () => {
  console.log(`Relay server listening on port ${port}`)
})

Implementation Notes:

• Replace API_KEY with your actual key provided by the team.
• Update bapRelayBase if you are relaying to endpoints other than /catalogue.
• Supports all POST-based BAP endpoints like search, select, etc.
• You can expand this logic to support query params, other methods (GET, DELETE), and additional routing as needed.

Encryption & Decryption (TypeScript)

Below is the code to encrypt and decrypt response data using AES-256-CBC encryption. You will need to use a 32-byte key and a 16-byte IV.

interface TransactionData {
  transactionId: string
  companyOrderId: string
}

decryptResponse(encryptedData: string, iv: string) {
  const decipher = crypto.createDecipheriv(
    'aes-256-cbc',
    settings.bapEncKey,
    iv
  )
  let decrypted = decipher.update(encryptedData, 'base64', 'utf8')
  decrypted += decipher.final('utf8')

  return JSON.parse(decrypted)
}

encryptResponse(data: TransactionData, key: string, iv: string) {
  const cipher = crypto.createCipheriv('aes-256-cbc', key, iv)
  const jsonData = JSON.stringify(data)
  let encrypted = cipher.update(jsonData, 'utf8', 'base64')
  encrypted += cipher.final('base64')
  return encrypted
}

Encryption Requirements:

• Key should be a 32-byte hexadecimal string.
• IV (Initialization Vector) should be a 16-byte hex string passed along with the response.
• Use the decryptResponse function to decrypt encrypted data received from API responses.
• Use the encryptResponse function to encrypt transaction data before sending to place order endpoints.

Security Best Practices

When implementing ONDC integration, ensure that your API keys and encryption keys are stored securely and not exposed in client-side code. All sensitive data should be encrypted using the provided encryption utilities. Failure to follow security best practices may result in unauthorized access to your systems.