Signature Verification (HMAC-SHA256)

To ensure that every Callback/Webhook request entering your endpoint genuinely originates from our server and has not been tampered with during transmission, you are required to validate the signature of each request.

Our system utilizes the HMAC-SHA256 encryption method to generate this signature.

Prerequisites

Ensure you have obtained your API Key (Secret Key). This key is strictly confidential and can be found in your account Dashboard.

Steps to Verify the Callback

Follow these steps to validate the signature of the incoming requests to your endpoint:

1. Extract the Raw JSON Body Retrieve the raw data (Raw Payload) from the incoming HTTP request.

2. Retrieve the Signature from the Header Extract the signature value sent by our system via the X-Callback-Api-Key HTTP Header. (Note: This header contains the encrypted string generated by our system, not your actual Secret Key).

3. Generate a Local Hash (Signature) Use the HMAC cryptographic function with the SHA256 algorithm on your system to hash the Raw JSON Body (obtained in Step 1). Use your Callback API Key as the Secret Key for this HMAC function.

4. Compare the Signatures Compare the local hash you just generated (in Step 3) with the signature value provided in the X-Callback-Api-Key header (from Step 2).

5. Return an HTTP Response Based on the comparison in Step 4, your system must respond accordingly:

   • If Matched (Verified): The payload is secure and valid. Proceed to process the data and immediately return an HTTP 200 OK status response to our server.
   • If Mismatched (Unverified): The request is potentially unauthorized or compromised. Discard the request and return an HTTP 401 Unauthorized or 403 Forbidden status response.