Asanpay, payment protocol verification, API security, TLS testing, idempotency. 1. Introduction Digital payment systems must guarantee authenticity, integrity, and non-repudiation . Asanpay, operated by the Central Bank of Azerbaijan’s partner institutions, processes thousands of daily transactions. However, protocol-level flaws—such as weak signature schemes or improper redirect validation—can lead to financial fraud. This paper aims to answer: How can one systematically verify that the Asanpay protocol behaves as specified and securely? 2. Background Asanpay typically follows a REST API pattern over HTTPS. Merchants or users initiate a payment request; Asanpay returns a transaction ID and a payment URL; after user authentication, Asanpay calls back the merchant’s webhook with a status update.

"amount": 1.00, "currency": "AZN", "merchant_id": "test_merchant", "idempotency_key": "unique-123", "signature": "calculated_hmac"

Expected: 200 OK + payment_url . If 400 Bad Request – check signature or missing field. Asanpay likely uses:

Asanpay is a digital payment system in Azerbaijan (part of the "Asan" ecosystem of services, similar to e-government payment gateways). A technical or security paper on this topic would focus on verifying its communication protocol (e.g., HTTPS/TLS, API request-response structure, digital signatures, and payment confirmation flows).