Validating a Notification

To validate a notification, you must use the digital signature key to generate your own signature and match it with the signature in the notification. The digital signature of the notification is contained in the
sig
parameter of the
v-c-signature
header of the notification.
When you sent the API request that created the digital signature key, you received a response that contains a
keyInformation
array. The
keyInformation
array contains a
keyinformation.key
field which contains the digital signature key and a
keyinformation.keyId
field that identifies the digital signature key. The
keyinformation.key
field is required to generate your own signature, which you can use to validate the notification's signature.
Follow these steps to validate the integrity of a notification.
  1. Split the signature by semicolon and extract
    t
    ,
    keyId
    , and
    sig
    .
  2. Use
    keyId
    to fetch the digital signature key.
  3. Generate the payload by concatenating the timestamp with a period character (.) and the payload from the body of the notification.
  4. Use the SHA256 algorithm to encrypt the generated payload from Step 3 using the key from Step 2.
  5. Verify that the encrypted value matches the value in
    sig
    .