Verify the events that we send to your Webhook endpoints. We sign the events by including a signature in each event’s "signature" header. This allows you to verify that the events were sent by O21Pay, not by a third party

We generate signatures using a hash-based message authentication code (HMAC) with SHA-256 v1. To prevent downgrade attacks, you should ignore all schemes that are not v1.


  1. Extract signature from header
  2. Determine the expected signature
  3. Compare the signatures

Example of implementation in NodeJS:

const crypto = require('crypto')

const verifySignature = function (receivedSignature, payload) {
  const hash = crypto
  .createHmac('sha256', 'your merchant secretkey')
  .update(payload, 'utf8')
  return receivedSignature === `${hash}`

let receivedSignature = req.headers['signature']
if (receivedSignature == undefined) return res.sendStatus(404)

let string = JSON.stringify(req.body)
let result = verifySignature(receivedSignature, string)
if (result === true) {
	// Signature is validated
  // Your code here ...
	return res.sendStatus(200)

return res.sendStatus(400)