Versions Compared

Version Old Version 3 New Version Current
Changes made by

Martin Plank

Michal Gregor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Example hook request body:

Code Block
{
    "eventTypeeventId": "payment.statusChangeb2935024-5e46-4cf7-878f-5359526922e5",
    "eventTimestampeventType": "2024-05-07T14:49:55.884Zpayment.statusChange",
    "eventIdeventTimestamp": "c2949dfe2024-4585-46eb-9213-35f0f7faf05505-07T15:27:32.197Z",
    "clientIddata": "62d23f64-2317-4071-8779-1cf52695b93d",{
    "hookType": "payment.statusChange",
    "timestamppaymentId": "2024-05-07T14:49:55.884Z",
    "data": {0dbe5c2f-3cf3-4177-84fb-5b25c7f6686f",
           "paymentIdorderId": "da96bc8fc3ae08d7-cc775719-4ae84112-80acbf67-84b648178d60bb9f03e74255",
        "status": "BOOKED"
    }
}

Example signature header (using secret value abcd):

Code Block
Signature: ts=2024-05-07T1407T15:4927:5532.887Z290Z;v0=25450941c271d5309b57a5ba21486331cb21531fa2a28a0f5f87cc93ebbbe60ea7745d8eb55151d67fa8e95197ce34a4276b7ced2f55982630e9275af57ad317

To verify the signature:

  1. Concatenate timestamp from signature header with request body as string

Code Block
2024-05-07T1407T15:4927:5532.887Z290Z.{"eventType":"payment.statusChange","eventTimestamp":"2024-05-07T14:49:55.884Z","eventId":"c2949dfeb2935024-45855e46-46eb4cf7-9213878f-35f0f7faf0555359526922e5","clientIdeventType":"62d23f64-2317-4071-8779-1cf52695b93d","hookType":"payment.statusChange","timestampeventTimestamp":"2024-05-07T1407T15:4927:5532.884Z197Z","data":{"paymentId":"0dbe5c2f-3cf3-4177-84fb-5b25c7f6686f","orderId":"da96bc8fc3ae08d7-cc775719-4ae84112-80acbf67-84b648178d60bb9f03e74255","status":"BOOKED"}}

  1. Use HMAC-SHA256 algorithm to compute the hexadecimal hash of string created in previous step.

...

  • Use HTTPS protocol for your hook endpoints

  • Store your hook secret securely

  • You can also roll hook secrets periodically

  • If your hook secret was compromised, regenerate the secret and use only the new secret to verify the signature

  • Do not accept webhook requests with invalid signature

  • Do not accept webhook requests with too old timestamp in Signature header

  • Optionally, you can also set up IP address whitelist and verify request originator IP address.

    • For production environment, our IP address is 35.189.196.34

    • For staging environment (used only in special cases upon agreement with client), our IP address is 34.79.17.248