Each Connected Banking webhook event includes a hash parameter in the request body.
To verify the authenticity of the webhook request sent from Open, the ERP system should regenerate the hash at its end and validate it using the following steps:
Step 1: Remove the Hash Field
Remove the key 'hash' and its corresponding value from the webhook request body received from Open into your configured webhook URL.
Step 2: Format the Request
Eliminate all newline characters and white spaces from the modified request body to create a continuous, compact string.
Remove all white spaces and newlines from pre-hash string
There will be whitespaces and newline in a JSON body. Always remove all white spaces and newlines before hashing the string.
Step 3: Generate the Hash
Prepend the string POST to the formatted request body and generate a hash using the HMAC SHA-256 algorithm.
Use the secret key obtained from Open’s Developer API Dashboard as the HMAC secret.
WARNING
Never share your API secret or expose it in the client-side. The API secret is similar to what a password is. Always generate REQUEST_SIGNATURE at the server-side. The above javascript example is ONLY for representational purpose and is not suppose to be used in production.
PHP Sample code for step-2 & step-3 together
//Generation of REQUEST_SIGNATURE for a POST Request
client_request_method = 'POST';
//Your request body
//Please note that below is a sample client body. It changes depending on the API which you are using
$client_body ='{"amount":"9.00","contact_number":"5119991919","email_id":"[email protected]","currency":"INR","mtx":"123456XYZ"}';
//Concatinating all together to make prehash string
$string = $client_timestamp_header.$client_request_method.$client_body;
//Use below line in case of GET requests
//$string = $client_timestamp_header.$client_request_method;
//IMPORTANT : Remove all whitespaces and newlines
$string = preg_replace('/\s+/', '', $string);
//Hash generation
$REQUEST_SIGNATURE = hash_hmac('sha256', $string, $secret_key);
Step 4: Validate the Hash
Compare the generated hash with the hash received in the webhook request:
If both hashes match, consider the webhook request as authentic.
If they do not match, discard the webhook request as invalid or untrusted.