Secure ID APIs
Signature Verification
Verifying the signature is mandatory before processing any response. It helps authenticate that the webhook is from Cashfree Payments.
Follow the steps to verify the signature:
- Sort the array based on keys.
- Concatenate all the values in this array and the resultant is the post data (postData).
- postData needs to be encrypted using SHA-256 and then base64 encoded.
- Verify if both the signature calculated and the signature received match.
- Proceed further only if the signatures match. If not, discard the request.
- Ensure clientSecret you use is from the oldest active key pair.
For example, from the webhook received, extract the data and pass it to generate HMAC function:
Java code - for reference
Was this page helpful?