Postback Hashing

If you are interested in adding an extra layer of security, please ask your account manager to enable postback hashing.

Hashing

Postback hashing is optional. If activated by your account manager, we will add a "&hash={hash}" parameter to all your postback calls. The {hash} is created using a HEX encoded SHA1 HMAC, generated by hashing the entire postback url with a pre-shared secret key. You will receive the secret key from your account manager and you can use it to verify the hash.

Example

The purpose of this Node.js code sample is to provide you with an understanding of how to authenticate our hashes:

const crypto = require('crypto');

function checkUrlHash(url, secretKey) {
  const urlWithoutHash = url.split('&hash=')[0];
  const hash = url.split('&hash=')[1];
  
  const hmac = crypto.createHmac('sha1', secretKey);
  hmac.update(urlWithoutHash);
  const calculatedHash = hmac.digest('hex');

  return calculatedHash === hash;
}

Query string parameters are encoded using encodeURIComponent before the hash is calculated and appended. It is important to verify the URL exactly as it is called. This means you need to ensure your server stack does not automatically decode the URI components, or checking the hash will fail.

PreviousPostbacks NextAndroid

Last updated 5 months ago

Postback Hashing

If you are interested in adding an extra layer of security, please ask your account manager to enable postback hashing.

Hashing

Example

The purpose of this Node.js code sample is to provide you with an understanding of how to authenticate our hashes:

const crypto = require('crypto');

function checkUrlHash(url, secretKey) {
  const urlWithoutHash = url.split('&hash=')[0];
  const hash = url.split('&hash=')[1];
  
  const hmac = crypto.createHmac('sha1', secretKey);
  hmac.update(urlWithoutHash);
  const calculatedHash = hmac.digest('hex');

  return calculatedHash === hash;
}

PreviousPostbacks NextAndroid

Last updated 5 months ago