question

sebastian avatar image
sebastian asked dcode commented

Hosted Checkout, webhook signature verification

Hi,

We are integrating Hosted Checkout using the instruction on https://docs.clover.com/docs/hosted-checkout-api We have successfully made a sandbox transaction and received a webhook message on our endpoint.

The webhoook message contains the a header field 'Clover-Signature'.

E.g. 'Clover-Signature: t=1642599079,v1=tf1535bddbf8923d77ca9665eed5fc89b8b5506bbad137cd4ca76aa2a8d2a342'.

According to https://docs.clover.com/docs/ecomm-hosted-checkout-webhook this signature value should be "computed using the current time + payload + webhook secret".

Do you have any sample code (e.g. in PHP) or an algorithm showing how this actually should be calculated? We tried sha1() of the combined value of 'current time + payload + webhook secret' and a few other things but the computed value doesn't match the sent signature.

Webhooks
1 comment
10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

dcode avatar image dcode commented ·
Hi , were you able to validate the signature ? can you please help me also on this
0 Likes 0 ·

2 Answers

·
David Marginian avatar image
David Marginian Deactivated answered David Marginian Deactivated edited

1) Append the timestamp + a ".", plus the raw request payload, e.g. 1642599079.json, where json is the raw request body of the received webhook message.

2) Hash the value from #1 using HmacSHA256 and your webhook secret key.

3) Compare the string from 2 with the v1 signature value, if they match, the signature is valid.

10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

David Marginian avatar image
David Marginian Deactivated answered

Good question, I will try to get some more information about this.

10 |2000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community