Verifying the HMAC Signature

To verify the HMAC signature included in the webhook payload, follow these steps:

  1. Retrieve the PayNow-Signature header from the webhook request, containing the HMAC of the entire payload body and the timestamp.

  2. Extract the Unix millisecond timestamp from the PayNow-Timestamp header.

  3. Create a string by combining the timestamp from the header, followed by a dot (".") and then the actual payload string from the webhook request. Then create an HMAC signature using the resulting string and your signing secret.

  4. Compare the calculated signature with the signature provided in the PayNow-Signature header.

When comparing HMAC signatures, avoid using simple string comparison methods, as they may be susceptible to timing attacks. Instead, use constant-time comparison techniques to compare the calculated signature with the provided signature, ensuring that the comparison takes the same amount of time regardless of the comparison result.

Last updated

Was this helpful?