Skip to main content

Callback Checksum Verification

To ensure the integrity and authenticity of the callback, you must verify the checksum included in the query string of any callback url. The checksum is generated using the following formula:

hash('sha256', orderUuid . status . createdAt.secretKey)

Where:

  • orderUuid is the value of the orderUuid parameter from the callback URL.
  • status is the value of the status parameter from the callback URL.
  • createdAt is the value of the createdAt parameter from the callback URL.
  • secretKey will be given by frontpayment.

Example Verification (Conceptual):

// In your callback handler
$receivedOrderUuid = $_GET['orderUuid'];
$receivedStatus = $_GET['status'];
$receivedCreatedAt = $_GET['createdAt'];
$receivedTimestamp = $_GET['timestamp']; // You might also want to log/check this for freshness
$receivedChecksum = $_GET['checksum'];
$secretKey = '';  //Given by Front Payment;

// Construct the string used to calculate the checksum
$stringToHash = $receivedOrderUuid . $receivedStatus . $receivedCreatedAt . $secretKey ;

$calculatedChecksum = hash('sha256', $stringToHash);

if ($receivedChecksum === $calculatedChecksum) {
    // Checksum is valid, process the callback data
    // e.g., update order status in your database
    echo "Callback successfully processed.";
} else {
    // Checksum mismatch, reject the callback as potentially tampered
    // Log the discrepancy for investigation for security purposes
    http_response_code(403); // Forbidden
    echo "Checksum verification failed.";
}

By verifying the checksum, you can confirm that the callback data has not been altered during transmission, enhancing the security of your integration.

Back to top