When dealing with financial transactions, it is important to verify that your transactions were processed by us. This helps prevent fraud, keeping both you and your customers happy.
We include a signature that you can use to verify that the webhook payload you receive is legitimate and sent by us. The signature is sent against the
x-zwitch-signature parameter in the header in all webhooks.
Follow the below steps to verify the webhook signature.
- Log into your ZWITCH Dashboard.
- Select the mode in which you want to verify the signature.
- Navigate to Developers → Webhooks.
- Reveal and copy your Signing Secret.
- Remove all new lines and whitespaces from the payload you want to verify.
- Generate a SHA256 signature using your Signing Secret from step 4 and the payload from step 5.
- Compare the signature you generated with the one sent against the
x-zwitch-signatureparameter in the webhook header. If they match, the payload is genuine.
You can use the below code to generate a signature on your server.
<?php $signing_secret = '<enter_your_signing_secret>'; $response_body = '<enter your webhook payload without the headers>'; $prehash = json_encode(json_decode($response_body)); $request_signature = hash_hmac('sha256', $prehash, $signing_secret); echo "$request_signature"; ?>
import hashlib import hmac import base64 secret_key='<enter_your_signing_secret>' respose_body='<enter your webhook payload without the headers>'; request_signature = hmac.new( secret_key, respose_body, hashlib.sha256 ) print( request_signature.hexdigest() )