cancel
Showing results for 
Search instead for 
Did you mean: 

The verification of the webhook signature is contingent on the value of authAmount.

Hello,

I've come across an unusual scenario where the validity of a signature is contingent on the amount provided. In summary, if the authAmount in the returned webhook body is in the format #.## (e.g., 1.01 or 2.01), the signature verification is successful. However, if authAmount is in the format *.# or * (e.g., 1.1 or 2), the signature verification fails.

Here's an example of a webhook with an amount of 1.1:

Sandbox Environment (Live Mode)

My Signature Key:
A6214F6105625D5ED957CF02E749BB440DBD4E418533D219CAD26AECD104BFFE7F47DBBE5C81927CCA484AE7722BE82CE57FB5318EDE02122277A2FE90EE68EB

Webhook Notification Body:

json
Copy code
{"notificationId":"570f7282-687a-42b7-903b-48e487d7694d","eventType":"net.authorize.payment.authcapture.created","eventDate":"2023-12-12T12:45:09.3492643Z","webhookId":"a585ea29-a370-495a-bd83-f9be7160f260","payload":{"responseCode":1,"avsResponse":"P","authAmount":1.1,"merchantReferenceId":"2M4zHFzshYBudvgIZ11B","entityName":"transaction","id":"120011377052"}}
My Local Hash Result:
sha512=0B031880F04DD8D6C98F06A234032575B19393716F7FCE84C62D4901F257D29808DF520CEFCD0225FE4374697769B6A2ED336B463031EA861C73F3396357A605

x-anet-signature:
sha512=8E3D41B0191A9A1E668FB729F350B73C6BBB81D676070FE7CFF001CA2543ABA91BD16A4374A0F6FA4542659728C7DAF79D7EC901FEC582FC2DA3263A2D604DCF

As you can see, the result hash is different. However, if I manually change the body from "authAmount":1.1 to "authAmount":1.10 (although this is not what the client side should do), the hash becomes:

Manually Changed Hash:
sha512=8E3D41B0191A9A1E668FB729F350B73C6BBB81D676070FE7CFF001CA2543ABA91BD16A4374A0F6FA4542659728C7DAF79D7EC901FEC582FC2DA3263A2D604DCF

This hash matches the x-anet-signature header.

Could someone provide assistance in resolving this situation?

Thanks in advance.

Mathew312
Member
1 ACCEPTED SOLUTION

Accepted Solutions

It seems that the signature verification issue is related to the precision of the authAmount value. Ensure consistent formatting for the authAmount field, using two decimal places, even for whole numbers (e.g., "authAmount": 1.00 instead of "authAmount": 1). This should align the hash generation and resolve the signature verification problem.

View solution in original post

Shawn232
Member
1 REPLY 1

It seems that the signature verification issue is related to the precision of the authAmount value. Ensure consistent formatting for the authAmount field, using two decimal places, even for whole numbers (e.g., "authAmount": 1.00 instead of "authAmount": 1). This should align the hash generation and resolve the signature verification problem.

Shawn232
Member