Support

To validate the incoming request, you can use the HMAC signature.
Every request will contain the following headers.

Header NameDescriptionExample Value
x-scalapay-hmac-v1the hmac computed signature4cdee4ea0bef437abb3356df7
d0edd667479e6baf8f1941c186
cdd85d97577
x-scalapay-timestamptimestamp when the signature was generated

The HMAC signature is built from the concatenated raw string:

const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
$rawString = sprintf('%s:%s:%s', $version, $timestamp, $payload);

The HMAC hash is generated using the merchant’s API key as the secret ,sha-256 as the algorithm and hex digest.

const api_key = 'api-key'
const version = 'V1'
const timestamp = '1234567890123'
const payload = {"payload":"payload"}
 
const createSignature = (version, api_key, timestamp, payload) => {
  const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
  return crypto.createHmac('sha256', api_key).update(rawBody).digest("hex");
}
$api_key = 'api_key';
$version = 'V1';
$timestamp = '1234567890123';
$payload = '{"payload":"payload"}';

function createSignature($version, $api_key, $timestamp, $payload) :string
{
    $rawString = sprintf('%s:%s:%s', $version, $timestamp, $payload);
    return hash_hmac('sha256', $rawString, $api_key);
}

Comparing the value of x-scalapay-hmac-v1 to the generated hash will validate the authenticity of the request.


❗️

IMPORTANT

Some code language can modify the Headers case. Remember to always check that headers are in lowercase.

PHP:
$headers = array_change_key_case(getallheaders(), CASE_LOWER);