Verifying webhook

​

Verifying Webhook Signatures

Fenan Pay signs the webhook payload using a private key. To ensure that the webhook you receive is from Fenan Pay and hasn’t been tampered with, verify the signature using the corresponding public key:

• Test environment: on dashboard: settings > webhook settings > webhook_pubk_test
• Production environment: on dashboard: settings > webhook settings > webhook_pubk_prod

​

How Webhook Signatures Work

Fenan Pay signs the body using private key speified in setting. The signature is sent in the webhook’s signature field. You should verify the integrity of the payload by comparing the provided signature with the one generated using your webhook’s public key.

​

Webhook Payload Structure

​

Key Points to Remember

• Signature Field: The signature field contains the cryptographic signature to verify the authenticity of the webhook body.
• body: Ensure you verify the body as a string, as any modifications can lead to a failed verification.

​

Example Implementations for Verifying Webhook Signatures

• JavaScript (Node.js)
• Python
• Java
• Go
• PHP

const crypto = require('crypto');

function verifySignature(payload, signature, publicKey) {
  const verify = crypto.createVerify('SHA256');
  
  // Convert the payload body into a string and update the verify object
  verify.update(payload.body);
  verify.end();
  
  // Verify the signature using the provided public key
  return verify.verify(publicKey, signature, 'base64');
}

// Example usage
const payload = { signature: 'example-signature', body: { event: 'payment_intent.succeeded', ...paymentIntentObject } };
const publicKey = '-----BEGIN PUBLIC KEY-----\nyour-public-key-here\n-----END PUBLIC KEY-----'; // should be the public key from the webhook settings including the Header and Footer
const isVerified = verifySignature(payload, signature, publicKey);

console.log('Signature verified:', isVerified);