WooshPay OpenAPI
Product DocumentAPI ReferenceJS SDK ReferenceSaaS Platform Integration
Product DocumentAPI ReferenceJS SDK ReferenceSaaS Platform Integration
Back to WooshPay Website
  1. After the payment
  • Online payments
    • Quick Start
    • Integration overview
    • Wooshpay JS SDK
    • Wooshpay Checkout
    • Wooshpay Direct API
    • Payment Link
    • Authorize and capture
    • Build subscriptions integration
    • Testing cards
  • After the payment
    • Payouts
    • Webhook
    • Check the webhook signatures
    • 校验webhook签名
  • Add more payment methods
    • Supported payment method
    • Cards
    • Wallets
      • Alipay
      • Alipay HK
      • Apple Pay
      • Google Pay
      • Wechat Pay
      • 微信支付
      • Kakao Pay
      • DANA
      • Boost
      • Grabpay
      • Mcash
      • Touch'n Go
      • ShopeePay
      • UnionPay
      • 9Pay
      • OVO
      • GCash
      • TrueMoney
    • Bank redirects
      • Bancontact
      • BPI
      • Trustly
      • EPS
      • Giropay
      • iDEAL
      • Przelewy24
      • FPX
    • Buy Now Pay Later
      • Klarna
    • Bank Debits
      • Sepa Direct Debit
    • Bank Transfer
      • Bank Transfer in Europe
      • Bank Transfer in United Kingdom
      • Bank Transfer in Indonesia
    • QR Payments
      • QRIS
      • PromptPay
    • Real-time payments
      • PIX
      • PayNow
      • UPI
      • SPEI
  • More payment scenarios
    • Set up future payments
    • Save payment method during payment
  • SaaS platform integration
    • Shopify Plugin
    • Shopastro 星盘
    • WooCommerce
    • Shoplazza 店匠
    • Shopline Plugin
    • Sage Connection
  • Resources
    • Supported currencies
  1. After the payment

Check the webhook signatures

Overview#

Verify the events that Wooshpay sends to your webhook endpoints.

Wooshpay signature header#

The Wooshpay-Signature header included in each signed event contains a timestamp and signature.
The timestamp is prefixed by t=, and each signature is prefixed by v1.
For example:
Wooshpay-Signature:t=1492774577,v1=6fdfb9c357542b8ee07277f5fca2c6f728bae2dce9be2f91412f4de922c1bae4

Webhook secret key#

Wooshpay generates a unique secret key for each webhook. whsec_
Before verify signatures, you need to retrieve your webhook secret from webhook.secret in webhook object.
1280X1280.PNG

Verifying signatures#

By comparing the the signature in the header to the expected signature, You can verify that the even were sent by Wooshpay, not by a third party.
To verify the signature step by step, you can follow the guide below:

Step 1: Extract the timestamp and signatures from the header#

Split the header, using the , character as the separator, to get a list of elements. Then split each element, using the = character as the separator, to get a prefix and value pair.
The value for the prefix t corresponds to the timestamp, and v1 corresponds to the signature. You can discard all other elements.
For example:
t=1687845304,v1=6fdfb9c357542b8ee07277f5fca2c6f728bae2dce9be2f91412f4de922c1bae4

Step 2: Prepare the signed_payload string#

The signed_payload string is created by concatenating:
The timestamp (as a string)
The character .
The actual JSON payload (the request body)
For example:
1687845304+.+JSON payload
1687845304.{
  "id": "evt_1NNUrjL6kclEVx6Mb1x5dKJ3",
  "object": "event",
  "api_version": "2022-11-15",
  "created": 1687845303,
  "data": {
    "object": {
      "id": "prod_O9oUVgsSaordCT",
      "object": "product",
      "active": true,
      "livemode": true,
      "name": "test",
      "type": "service",
  "livemode": true,
  "pending_webhooks": 1,
  "type": "product.created"
}

Step 3: Determine the expected signature#

Compute a HMAC with the SHA256 hash function.
Use the endpoint’s webhook secret as the key, which you can get it from webhook.secret in webhook object
Use the signed_payload string as the message which you already prepared in step 2.
Through the key + message, you can compute a HMAC string, which is expected signature
For example:

Step 4: Compare the signatures#

Compare the signature in the header to the expected signature.
For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
To protect against timing attacks, you can use a constant-time string comparison to compare the expected signature to each of the received signatures.
Previous
Webhook
Next
校验webhook签名
Built with