https://community.developer.cybersource.com/t5/Integration-and-Testing/Verifying-Webhook-signature-depends-on-authAmount/m-p/88339#M55659 <P>Three days have already passed since my post was created. Does somebody have a solution?</P><P>Are auth.net developers reading this community forum?</P> Fri, 15 Dec 2023 12:00:23 GMT sera_nikulin 2023-12-15T12:00:23Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Verifying-Webhook-signature-depends-on-authAmount/m-p/88297#M55628 <P><SPAN>Hello,</SPAN><BR /><BR />I found a strange situation where the signature is valid or invalid depending on the amount.<BR />Briefly: if authAmount in returned webhook body in format #.## (example 1.01 or 2.01) - then verifying signature is success<BR />If authAmount has format *.# or * (example 1.1 or 2) - then verifying signature is failed.</P><P>Here is my example of webhook with amount 1.1</P><P>Sandbox environtment (live mode)</P><P><STRONG>My signature key:</STRONG><BR />A6214F6105625D5ED957CF02E749BB440DBD4E418533D219CAD26AECD104BFFE7F47DBBE5C81927CCA484AE7722BE82CE57FB5318EDE02122277A2FE90EE68EB</P><P><STRONG>Webhook notification's body:</STRONG><BR />{"notificationId":"570f7282-687a-42b7-903b-48e487d7694d","eventType":"net.authorize.payment.authcapture.created","eventDate":"2023-12-12T12:45:09.3492643Z","webhookId":"a585ea29-a370-495a-bd83-f9be7160f260","payload":{"responseCode":1,"avsResponse":"P","authAmount":1.1,"merchantReferenceId":"2M4zHFzshYBudvgIZ11B","entityName":"transaction","id":"120011377052"}}</P><P><STRONG>My local hash result:</STRONG><BR />sha512=0B031880F04DD8D6C98F06A234032575B19393716F7FCE84C62D4901F257D29808DF520CEFCD0225FE4374697769B6A2ED336B463031EA861C73F3396357A605</P><P><STRONG>x-anet-signature:</STRONG><BR />sha512=8E3D41B0191A9A1E668FB729F350B73C6BBB81D676070FE7CFF001CA2543ABA91BD16A4374A0F6FA4542659728C7DAF79D7EC901FEC582FC2DA3263A2D604DCF</P><P>As you see result hash is different.<BR />But if I manually change in body from <STRONG>"authAmount":1.1</STRONG> to <STRONG>"authAmount":1.10</STRONG> (<FONT color="#FF0000">this is not what the client side should do</FONT>)</P><P>then hash will be<BR />sha512=8E3D41B0191A9A1E668FB729F350B73C6BBB81D676070FE7CFF001CA2543ABA91BD16A4374A0F6FA4542659728C7DAF79D7EC901FEC582FC2DA3263A2D604DCF</P><P>whish is equals to x-anet-signature header.</P><P><BR />Could anyone help with this situation?<BR /><BR />Thanks in advance.</P><P>&nbsp;</P> Tue, 12 Dec 2023 13:13:58 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Verifying-Webhook-signature-depends-on-authAmount/m-p/88297#M55628 sera_nikulin 2023-12-12T13:13:58Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Verifying-Webhook-signature-depends-on-authAmount/m-p/88299#M55630 <P>I can manually change request body to able to have valid signature but this contradicts the principles of verifying data integrity based on signature</P> Tue, 12 Dec 2023 13:33:34 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Verifying-Webhook-signature-depends-on-authAmount/m-p/88299#M55630 sera_nikulin 2023-12-12T13:33:34Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Verifying-Webhook-signature-depends-on-authAmount/m-p/88339#M55659 <P>Three days have already passed since my post was created. Does somebody have a solution?</P><P>Are auth.net developers reading this community forum?</P> Fri, 15 Dec 2023 12:00:23 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Verifying-Webhook-signature-depends-on-authAmount/m-p/88339#M55659 sera_nikulin 2023-12-15T12:00:23Z