Every notification we send to your endpoint is signed. We do this by including a header named "SmartFastPay-Signature"
in every event we send. This allows you to verify and ensure that the event was sent by SmartFastPay and not a third party.
The "SmartFastPay-Signature"
header contains a timestamp
and one or more signatures. The timestamp
is prefixed by t=
and each signature is prefixed by a schema. Schemas start with v
followed by an integer
. Currently there is only one signature schema which is v1
.
Exemplo do Header SmartFastPay-Signature:
SmartFastPay-Signature: t=1681235417000,v1=b9ffafcd16416bd11e36f877c2d7ccc71633d174f8245abc49fc2aef7e6633c8
Signatures are generated using a hashed message based authentication code (HMAC)
with SHA-256
. To prevent downgrade attacks, you must ignore all non-v1 schemas.
Split the header using the character as a separator to get the list of elements. Once that's done, do another split using the =
character as a separator, to get the prefix and the value.
The value obtained from the t
prefix corresponds to the timestamp and the v1
corresponds to the signature. You can discard other values.
You must concatenate this information:
string
).
string
format)
Compute the HMAC
with the SHA256
hash function. Use the secret (see what your secret is by clicking here ).
Example in PHP:
// This secret is not the secret of the authentication token, it is the UID
$secret = 'my-secret';
// This is the "t" value received on SmartFastPay-Signature header
$timestamp = 1681235417000;
$requestPayload = [
'callback' => true,
'value' => 'value-field'
];
$jsonPayload = json_encode($requestPayload, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
$paramsSignature = "{$timestamp}.{$jsonPayload}";
echo hash_hmac('sha256', $paramsSignature, $secret);
// Output: b9ffafcd16416bd11e36f877c2d7ccc71633d174f8245abc49fc2aef7e6633c8
Compare the signature sent by SmartFastPay in the Header with the signature you generated in Step 2.
Example in PHP:
// Comparing Signatures
// Example Header of the request sent by SmartFastPay:
$headers = [
'SmartFastPay-Signature' => 't=1681235417000,v1=b9ffafcd16416bd11e36f877c2d7ccc71633d174f8245abc49fc2aef7e6633c8'
];
// Extract the value of 't' from Header 'SmartFastPay-Signature'
// '1681235417000'
$timestamp = explode("=", explode(",", $headers['SmartFastPay-Signature'])[0])[1];
// Extract the value of 'v1' from Header 'SmartFastPay-Signature'
// 'b9ffafcd16416bd11e36f877c2d7ccc71633d174f8245abc49fc2aef7e6633c8'
$signature = explode("=", explode(",", $headers['SmartFastPay-Signature'])[1])[1];
// The Signature you generated in Step 2 must be equal to the value of the "$signature" variable.
// Must return 1 (true)
echo ('yourSignature' === $signature);