To validate the incoming request you can use the HMAC signature.
Every request will contain these headers:

Header NameDescriptionExample Value
x-scalapay-hmac-v1the hmac computed signature4cdee4ea0bef437abb3356df7
x-scalapay-timestamptimestamp when the signature was generated

the HMAC signature is built from the concatenated raw string:

const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
$rawString = sprintf('%s:%s:%s', $version, $timestamp, $payload);

The HMAC hash is generated using the merchant’s api-key as the secret , 'sha-256' as the algorithm and “hex” digest.

const api_key = 'api-key'
const version = 'V1'
const timestamp = '1234567890123'
const payload = {"payload":"payload"}
const createSignature = (version, api_key, timestamp, payload) => {
  const rawBody = `${version}:${timestamp}:${JSON.stringify(payload)}`;
  return crypto.createHmac('sha256', api_key).update(rawBody).digest("hex");
import hmac
import hashlib

api_key = b'api_key'
version = 'V1'
timestamp = '1234567890123'
payload = '{"payload":"payload"}'

def createSignature(version, api_key, timestamp, payload):
    rawString = '{}:{}:{}'.format(version, timestamp, payload)
    return, msg=rawString.encode('utf-8'), digestmod=hashlib.sha256).hexdigest()
$api_key = 'api_key';
$version = 'V1';
$timestamp = '1234567890123';
$payload = '{"payload":"payload"}';

function createSignature($version, $api_key, $timestamp, $payload) :string
    $rawString = sprintf('%s:%s:%s', $version, $timestamp, $payload);
    return hash_hmac('sha256', $rawString, $api_key);

Comparing the value of x-scalapay-hmac-v1 to the generated hash will validate the authenticity of the request.



Some code language can modify the Headers case. Remember to always verify headers to be lowercase.

$headers = array_change_key_case(getallheaders(), CASE_LOWER);