Verify the events that we send to your Webhook endpoints. We sign the events by including a signature in each event’s "signature" header. This allows you to verify that the events were sent by O21Pay, not by a third party
We generate signatures using a hash-based message authentication code (HMAC) with SHA-256 v1. To prevent downgrade attacks, you should ignore all schemes that are not v1.
Process
- Extract signature from header
- Determine the expected signature
- Compare the signatures
Example of implementation in NodeJS:
const crypto = require('crypto')
const verifySignature = function (receivedSignature, payload) {
const hash = crypto
.createHmac('sha256', 'your merchant secretkey')
.update(payload, 'utf8')
.digest('base64')
return receivedSignature === `${hash}`
}
let receivedSignature = req.headers['signature']
if (receivedSignature == undefined) return res.sendStatus(404)
let string = JSON.stringify(req.body)
let result = verifySignature(receivedSignature, string)
if (result === true) {
// Signature is validated
// Your code here ...
return res.sendStatus(200)
}
return res.sendStatus(400)