On This Page 
    Overview of REST
    To get started using the 
National Australia Bank
 payment API, you must first
			set up your payment processing system to be REST compliant. National Australia Bank
			uses the REST for developing web services. REST enables communication between a client
			and server using HTTP protocols. This guide explains how to set up secure communications between your client and server
			using one of these methods:
- JSON Web Token
- JSON Web Tokens (JWTs) are digitally signed JSON objects based on the open standard RFC 7519. These tokens provide a compact, self-contained method for securely transmitting information between parties. These tokens are signed with an RSA-encoded public/private key pair. The signature is calculated using the header and body, which enables the receiver to validate that the content has not been tampered with. Token-based messages are best for applications that use browser and mobile clients.
- HTTP Signature
- Each request is digitally signed, or the entire request is digitally hashed using a private key. Both the client and server have the same shared secret, which enables each request to be validated on either end. If the request transmission is compromised, the attacker cannot change the request or act as a user without the secret. HTTP signatures can be used only with API requests. They cannot be used in browser or mobile applications.
Secure Communication Requirements
			REST-compliant machines communicate with each other using 
stateless messaging
.
				Stateless messaging is a loosely coupled connection between a client and server,
				where each message is self-contained. This connection enables the client and server
				to communicate without first establishing a communication channel and without
				managing the state between systems.To ensure secure communications between the client and server, you must provide these
				security measures:
- Sender Authentication:A receiver needs to know that a message comes from a trusted entity.
- Message Encryption:By encrypting the message before transmission and decrypting the message when received, you prevent man-in-the-middle attacks.
IMPORTANT
When building your connection to the 
National Australia Bank
 payment
					gateway, ensure that you have implemented controls to prevent card testing or
					card enumeration attacks on your platform. For more information, see the best practices guide. When we detect
					suspicious transaction activity associated with your merchant ID, including a
					card testing or card enumeration attack, National Australia Bank
 reserves
					the right to enable fraud management tools on your behalf in order to mitigate
					the attack. The fraud team might also implement internal controls to mitigate
					attack activity. These controls block traffic that is perceived as
					fraudulent. Additionally, if you are using one of our fraud tools and experience
					a significant attack, our internal team might modify or add rules to your
					configuration to help prevent the attack and minimize the threat to our
					infrastructure. However, any actions taken by National Australia Bank
 would
					not replace the need for you to follow industry standard best practices to
					protect your systems, servers, and platforms.Key Features of REST
			These are the key features of REST:
			
- Client/Server model:Clients and servers are independent from each other, enabling portability and scalability.
- Stateless Communication:Each request is independent.
- Uniform Interface:Architecture is simplified through uniform standards.
Components of REST
			A REST message consists of these four components:
- Endpoint:The endpoint is a Uniform Resource Identifier (URI) that shows where and how to find the resource on the internet. For example, to test an authorization request, you can send the request to this endpoint:.https://nabgateway-api-test.nab.com.au/pts/v2/payments
- HTTP Method:The method is the action performed by the resource. There are four basic HTTP methods:- POST: Create a resource.
- GET: Retrieve a resource.
- PATCH: Modify a resource.
- DELETE: Delete a resource.
 
- Headers:The header is a collection of fields and their associated values. It provides information about the message to the receiver. Think of it as metadata about the message. The header also contains authentication information that indicates that the message is legitimate.
- Body:The request in JSON format.