Comment on page

Postback Hashing

If you are interested in adding an extra layer of security, please ask your account manager to enable postback hashing.


Postback hashing is optional. If activated by your account manager, we will add a "&hash={hash}" parameter to all your postback calls. The {hash} is created using a HEX encoded SHA1 HMAC, generated by hashing the entire postback url with a pre-shared secret key. You will receive the secret key from your account manager and you can use it to verify the hash.


The purpose of this Node.js code sample is to provide you with an understanding of how to authenticate our hashes:
const crypto = require('crypto');
function checkUrlHash(url, secretKey) {
const urlWithoutHash = url.split('&hash=')[0];
const hash = url.split('&hash=')[1];
const hmac = crypto.createHmac('sha1', secretKey);
const calculatedHash = hmac.digest('hex');
return calculatedHash === hash;