Consuming Webhooks - Signature

How to verify the signature included in the response.

This guide goes into further detail on how to process a webhook payload for an event.

How to verify the signature

Safepay will attach the signature to the request via the X-SFPY-Signature header. In order to verify that the request is indeed from Safepay, you should reconstruct the signature using your webhook secret. This should match the signature in the request. Samples are presented below:

1
const crypto = require(‘crypto’);
2
var payload = {
3
    token: “C5A5APSBCV41R2QF2MHG”,
4
    client_id: “sec_55ca6960 - e2ea - 4643 - b0cf - 7 cd65a4d3112”,
5
    type: “payment: created”,
6
    endpoint: “http: //127.0.0.1:9000”,
7
        notification: {
8
            tracker: “tracker_c5a5apsbcv41om3fg0u0 ",
9
            reference: “514087”,
10
            intent: “PAYFAST”,
11
            fee: “4.92”,
12
            net: “145.08 ",
13
            user: “johndoe @gmail.com”,
14
            state: “PAID”,
15
            amount: “150”,
16
            currency: “PKR”,
17
            metadata: {
18
                order_id: “XG102312”,
19
                source: “shopify”
20
            }
21
        },
22
    delivery_attempts: 1,
23
    resource: “notification”,
24
    next_attempt_at: “2021 - 10 - 01 T09: 05: 33 Z”,
25
    created_at: “2021 - 09 - 29 T12: 00: 40 Z”
26
};
27
const data = Buffer.from(JSON.stringify(payload));
28
const secret = ‘86 f63866a6e9b27f8f48a2d0a2946171b03639ea2e5000213e641da781a87d6e’;
29
const hash = crypto.createHmac(‘sha512’, secret)
30
    .update(data)
31
    .digest(‘hex’);
32
console.log(hash);

Basics

Payloads