To validate the incoming request you can use the HMAC signature.
Every request will contain these headers:
| Header Name | Description | Example Value |
|---|---|---|
| x-scalapay-hmac-v1 | the hmac computed signature | 4cdee4ea0bef437abb3356df7 d0edd667479e6baf8f1941c186 cdd85d97577 |
| x-scalapay-timestamp | timestamp when the signature was generated |
the HMAC signature is built from the concatenated raw string:
const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
$rawString = sprintf('%s:%s:%s', $version, $timestamp, $payload);
The HMAC hash is generated using the merchant’s api-key as the secret , 'sha-256' as the algorithm and “hex” digest.
const api_key = 'api-key'
const version = 'V1'
const timestamp = '1234567890123'
const payload = {"payload":"payload"}
const createSignature = (version, api_key, timestamp, payload) => {
const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
return crypto.createHmac('sha256', api_key).update(rawBody).digest("hex");
}
$api_key = 'api_key';
$version = 'V1';
$timestamp = '1234567890123';
$payload = '{"payload":"payload"}';
function createSignature($version, $api_key, $timestamp, $payload) :string
{
$rawString = sprintf('%s:%s:%s', $version, $timestamp, $payload);
return hash_hmac('sha256', $rawString, $api_key);
}
Comparing the value of x-scalapay-hmac-v1 to the generated hash will validate the authenticity of the request.
IMPORTANT
Some code language can modify the Headers case. Remember to always verify headers to be lowercase.
PHP:
$headers = array_change_key_case(getallheaders(), CASE_LOWER);