Signature Verification

Ensure the payloads you receive are sent by ZWITCH.

When dealing with financial transactions, it is important to verify that your transactions were processed by us. This helps prevent fraud, keeping both you and your customers happy.

We include a signature that you can use to verify that the webhook payload you receive is legitimate and sent by us. The signature is sent against the x-zwitch-signature parameter in the header in all webhooks.

Verify Signature

Follow the below steps to verify the webhook signature.

  1. Log into your ZWITCH Dashboard.
  2. Select the mode in which you want to verify the signature.
  3. Navigate to DevelopersWebhooks.
  4. Reveal and copy your Signing Secret.
  5. Remove all new lines and whitespaces from the payload you want to verify.
  6. Generate a SHA256 signature using your Signing Secret from step 4 and the payload from step 5.
  7. Compare the signature you generated with the one sent against the x-zwitch-signature parameter in the webhook header. If they match, the payload is genuine.

Sample Code

You can use the below code to generate a signature on your server.

<?php

$signing_secret = '<enter_your_signing_secret>'; 
$response_body = '<enter your webhook payload without the headers>';

$prehash  = json_encode(json_decode($response_body));

$request_signature =  hash_hmac('sha256', $prehash, $signing_secret);

echo "$request_signature";
?>
import hashlib
import hmac
import base64

secret_key='<enter_your_signing_secret>'

respose_body='<enter your webhook payload without the headers>';

request_signature = hmac.new( secret_key, respose_body, hashlib.sha256 )
print( request_signature.hexdigest() )