Callback requests are accompanied by a Pensopay-Signature header that can be used to validate that the callback originates from us.

To verify the callback you can generate a checksum using HMAC with SHA256 and your private key (found on to verify that it's equal to the one we sent


$request_body = file_get_contents("php://input");
$private_key  = 'your-private-key';
$checksum     = hash_hmac("sha256", $request_body, $private_key);

if (hash_equals($_SERVER["HTTP_PENSOPAY_SIGNATURE"], $checksum)) {
    // Callback is valid
} else {
    // Invalid callback
import crypto from 'crypto';

// if using the body-parser middleware - 
const privateKey = 'private-key'; 
const checksum = req.headers['http_pensopay_signature']; 
const body = req.body; 
const bodyAsString = JSON.stringify(body); 
const calculated = crypto 
  .createHmac('sha256', privateKey) 

if (calculated === checksum) { 
  // Authentic callback
} else { 
  // Invalid callback