Verify Webhook Signature

Signature verification is mandatory to ensure the webhook being sent is not tampered during the transit.

Overview

Signature verification is a crucial step in ensuring the authenticity and integrity of data received from webhooks. By verifying the signature provided in the webhook payload, you can confirm that the data originated from Dex3 servers and has not been tampered with during transit.

Process

  • Receive signature from the webhook endpoint.

  • Construct Hash String: Concatenate the necessary parameters into a single string before applying the hash function. The parameters typically include:

    • order_id: The unique identifier for the order or transaction.

    • merchant_public: The public key of your merchant.

    • amount: The amount of the transaction.

    • hash: The hash of the transaction.

    • merchant_private: The private key of the merchant.

  • Apply Hash Function: Use a secure hashing algorithm such as SHA-256 to calculate the hash value of the before-hash string.

  • Compare Signatures: Compare the calculated hash value with the signature extracted from the webhook payload. If the two values match, the signature is considered valid, and the data integrity is confirmed. Do not continue if signatures do not match.

import sha256 from 'crypto'; //Install crypto package

const webhookSignature = webhook.signature; //Webhook payload from POST
const merchantPublic = process.env.MERCHANT_PUBLIC;
const merchantPrivate = process.env.MERCHANT_PRIVATE;

//Construct signature using your merchant_private
const string = webhook.order_id + merchantPublic + webhook.amount + webhook.hash + merchantPrivate;
const calculatedSignature = sha256(string); //hex digest

// Compare signatures
if (webhookSignature === calculatedSignature) {
  // Signature verification successful
  // Proceed with processing webhook data
} else {
  // Signature verification failed
  // Reject webhook data or take appropriate action
}

Last updated