Callback requests are accompanied by a Pensopay-Signature header that can be used to validate that the callback originates from us.
To verify the callback you can generate a checksum using HMAC with SHA256 and your private key (found on app.pensopay.com) to verify that it's equal to the one we sent
<?php
$request_body = file_get_contents("php://input");
$private_key = 'your-private-key';
$checksum = hash_hmac("sha256", $request_body, $private_key);
if (hash_equals($_SERVER["HTTP_PENSOPAY_SIGNATURE"], $checksum)) {
// Callback is valid
} else {
// Invalid callback
}
import crypto from 'crypto';
// if using the body-parser middleware - https://github.com/expressjs/body-parser
const privateKey = 'private-key';
const checksum = req.headers['http_pensopay_signature'];
const body = req.body;
const bodyAsString = JSON.stringify(body);
const calculated = crypto
.createHmac('sha256', privateKey)
.update(bodyAsString)
.digest('hex');
if (calculated === checksum) {
// Authentic callback
} else {
// Invalid callback
}