Validating a Notification
To validate a notification, you must use the digital signature key to generate your own
signature and match it with the signature in the notification. The digital signature of
the notification is contained in the
sig
parameter of the
v-c-signature
header of the notification.When you sent the API
request that created the digital signature key, you received a response that
contains a
keyInformation
array. The
keyInformation
array contains a
keyinformation.key
field which contains the digital signature
key and a keyinformation.keyId
field that identifies the digital
signature key. The keyinformation.key
field is required to
generate your own signature, which you can use to validate the notification's
signature. Follow these steps to validate the integrity of a notification.
- Split the signature by semicolon and extractt,keyId, andsig.
- UsekeyIdto fetch the digital signature key.
- Generate the payload by concatenating the timestamp with a period character (.) and the payload from the body of the notification.
- Use the SHA256 algorithm to encrypt the generated payload from Step 3 using the key from Step 2.
- Verify that the encrypted value matches the value insig.