# Signature Verification

In addition to the header,`Webhook-Hash,`when we are sending notification back to the `webhook URL` we provide`Kitegateway-Signature`  so that merchants trust that the callbacks originate from the Kitegateway servers. 

### **Signature verification can be done with the following procedure;**

1. Retrieve the value of the `Kitegateway-Signature` header.<br>
2. Form the string payload to be used in signature verification. This is obtained by concatenating values of the notification data in the format that follows\
   \
   `id:merchant_reference:kitegateway_reference:transaction_status:webhook_url`\
   \
   where **`webhook_url`** is the full URL as added to your merchant account API token settings.

Assume sample notification data below;

```javascript
{
    ...
    "id": "383737927636356536773773",
    "merchant_reference": "88736jh-kkas87-mmn736-9n873ms-6636h",
    "kitegateway_reference": "PL-KMSSD-30000",
    "transaction_status": "COMPLETED",
    ...
}
```

and that the callback URL is\
`https://some-callback-url`\
\
The string payload would therefore be

`383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url`<br>

1. Obtain the Kitegateway public key as explained [here](/dashboard/api-credentials.md#aip_key) and store it as a file.<br>
2. Use the Kitegateway public key to verify the signature as described in the example source codes below;

#### Signature Verification Code Example <a href="#signature-verification-code-samples" id="signature-verification-code-samples"></a>

{% tabs %}
{% tab title="NodeJS" %}

```javascript
const crypto = require('crypto');
const fs = require('fs');

function isSignatureValid() {
    const strPayload = "383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url";
    const signature = "value-of-kitegateway-signature";
    const publicKeyFile = "path-to-file/kitegateway.public.key.pem";
    const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');

    const verify = crypto.createVerify("SHA512");
    verify.write(strPayload);
    verify.end();

    /*true or false*/
    return verify.verify(publicKey, signature, 'base64');
}
```

{% endtab %}

{% tab title="PHP" %}

```php
<?php

public function isSignatureValid() {
    $file = "path-to-file/kitegateway.public.key.pem";
    $keyContent = file_get_contents($file);
    $publicKey = openssl_get_publickey($keyContent);
    $strPayload = "383737927636356536773773:88736jh-kkas87-mmn736-9n873ms-6636h:PL-KMSSD-30000:COMPLETED:https://some-callback-url";
    $signature = base64_decode("value-of-kitegateway-signature");

    /*true or false*/
    return openssl_verify($strPayload, $signature, $publicKey, OPENSSL_ALGO_SHA512) == 1;
}

?>
```

{% endtab %}
{% endtabs %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.kitegateway.com/appendix/signature-verification.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.