API Reference

Webhooks security

By default all webhooks use HMAC_SHA_1 as encryption algorithm.

Encrypt mechanism:

  1. Convert request body to bytes
  2. Use merchant x-api-key as sign key
  3. Save result as hex string
  4. Send data to merchant in "x-payload-digest" request header

Decrypt/check mechanism:

  1. Retry 1-3 encryption steps on merchant side
  2. Compare result with "x-payload-digest" string from request header - must be equals
private String signHMAC(final byte[] body, final String apiKey) {
    return new HmacUtils(HmacAlgorithms.HMAC_SHA_1, apiKey).hmacHex(body);
}

func verifySign(rawBody []byte, requestSign string) bool {
	fmt.Println("Verify signature")
	currentSign := generateSignature(rawBody)
	fmt.Println("Request hmac: " + requestSign)
	fmt.Println("Current hmac: " + currentSign)

	return currentSign == requestSign
}

func generateSignature(payloadBody []byte) string {
	mac := hmac.New(sha1.New, []byte(apiKey))
	mac.Write(payloadBody)
	expectedMAC := mac.Sum(nil)
	return hex.EncodeToString(expectedMAC)
}