Encryption

Callback Encryption

Merchant can authenticate the response sent to them regarding the status of the transaction on the callback URL. It can be configured in Application settings. Along with the callback request body a hash message will be included. The hash message is included in the request headers under the key Signature. Users can hash the callback request body with the shared signature key using HMAC-SHA256, with Base64 output, and compare it with the signature sent if callback authentication is enabled.

This implementation uses a symmetric HMAC signature, not RSA. The exact JSON payload formatting matters during verification, so the payload should be serialized consistently before hashing.

Below is a Python implementation:

import base64
import hashlib
import hmac
import json

open_signature_key = "cd!HHz&kMU@7i7n@wHxE^^PULtYs&^uDHQShP6FpuFCE!5espqjF^tRSKkVtvxMd"
callback_data = {
	"ResultType": 0,
	"ResultDesc": "The service request is processed successfully.",
	"Originator": "PW_TEST_01",
	"TransactionID": "PHY0A0AE3JF2",
	"TransactionAmount": "50.00",
	"TransactionReceipt": "QKR3S0JA9H",
	"AccountAvailableFunds": "5.00",
	"ReceiverPartyPublicName": "21234",
	"TransactionCompletedDateTime": "2022-11-27 14:37:49.690634+00:00"
}
generated_signature = base64.b64encode(
	hmac.new(
		bytes(open_signature_key, 'utf-8'), bytes(json.dumps(callback_data, separators=(',', ':')), 'utf-8'),
		hashlib.sha256).digest()).decode()
print(generated_signature)

If possible, verify the signature against the exact raw callback body received from the request rather than parsing and re-serializing the payload.