Signature Verification
In addition to the header,Webhook-Hash,when we are sending notification back to the webhook URL we provideKitegateway-Signature so that merchants trust that the callbacks originate from the Kitegateway servers.
Signature verification can be done with the following procedure;
Retrieve the value of the
Kitegateway-Signatureheader.Form the string payload to be used in signature verification. This is obtained by concatenating values of the notification data in the format that follows
id:merchant_reference:kitegateway_reference:transaction_status:webhook_urlwherewebhook_urlis the full URL as added to your merchant account API token settings.
Assume sample notification data below;
{
...
"id": "383737927636356536773773",
"merchant_reference": "88736jh-kkas87-mmn736-9n873ms-6636h",
"kitegateway_reference": "PL-KMSSD-30000",
"transaction_status": "COMPLETED",
...
}and that the callback URL is
https://some-callback-url
The string payload would therefore be
383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url
Obtain the Kitegateway public key as explained here and store it as a file.
Use the Kitegateway public key to verify the signature as described in the example source codes below;
Signature Verification Code Example
const crypto = require('crypto');
const fs = require('fs');
function isSignatureValid() {
const strPayload = "383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url";
const signature = "value-of-kitegateway-signature";
const publicKeyFile = "path-to-file/kitegateway.public.key.pem";
const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');
const verify = crypto.createVerify("SHA512");
verify.write(strPayload);
verify.end();
/*true or false*/
return verify.verify(publicKey, signature, 'base64');
}Last updated