Versions Compared

Version Old Version 2 New Version 3
Changes made by

Martin Plank

Martin Plank

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Then, verify that the computed signature is same as signature provided in Signature header (or same as any of signatures, if multiple secrets are valid).

Example

Here we provide example to demonstrate the signing process.

Example hook request body:

Code Block
{
    "eventType": "payment.statusChange",
    "eventTimestamp": "2024-05-07T14:49:55.884Z",
    "eventId": "c2949dfe-4585-46eb-9213-35f0f7faf055",
    "clientId": "62d23f64-2317-4071-8779-1cf52695b93d",
    "hookType": "payment.statusChange",
    "timestamp": "2024-05-07T14:49:55.884Z",
    "data": {
        "paymentId": "da96bc8f-cc77-4ae8-80ac-84b648178d60",
        "status": "BOOKED"
    }
}

Example signature (using secret value abcd):

Code Block
ts=2024-05-07T14:49:55.887Z;v0=25450941c271d5309b57a5ba21486331cb21531fa2a28a0f5f87cc93ebbbe60e

To verify the signature:

  1. Concatenate timestamp with request body as string

Code Block
2024-05-07T14:49:55.887Z.{"eventType":"payment.statusChange","eventTimestamp":"2024-05-07T14:49:55.884Z","eventId":"c2949dfe-4585-46eb-9213-35f0f7faf055","clientId":"62d23f64-2317-4071-8779-1cf52695b93d","hookType":"payment.statusChange","timestamp":"2024-05-07T14:49:55.884Z","data":{"paymentId":"da96bc8f-cc77-4ae8-80ac-84b648178d60","status":"BOOKED"}}

  1. Use HMAC-SHA256 algorithm to compute the hexadecimal hash of string created in previous step.

Replay attacks prevention

...