Verifying the HMAC Signature
To verify the HMAC signature included in the webhook payload, follow these steps:
Retrieve the
PayNow-Signature
header from the webhook request, containing the HMAC of the entire payload body and the timestamp.Extract the Unix millisecond timestamp from the
PayNow-Timestamp
header.Create a string by combining the timestamp from the header, followed by a dot (".") and then the actual payload string from the webhook request. Then create an HMAC signature using the resulting string and your signing secret.
Compare the calculated signature with the signature provided in the
PayNow-Signature
header.
Last updated
Was this helpful?