Verifying signatures
The Billit-Signature header included in each webhook event contains a timestamp and a signature. The timestamp is prefixed by t= and the signature by s=.
t=1657133145,s=479f86b8baa181b97281b767b8db125cc312d18b3e611d6157571abcd539f09f
1. Extract the timestamp and signature from the signature header
Get the timestamp and signature value by splitting the string by ",".
Next you can split by "=" to get the value of the parameter.
2. Build the signature payload string
The signature payload is created by concatenating:
- The timestamp
- The character "."
- The received payload as a JSON string
For example:
1657133145.{"OrderID":12345,"OrderNumber":"2022-123", ...}
3. Compare the hash
SHA-256 hash the signature payload with the signing secret key as key. Verify the generated hash with the signature extracted from the signature header.
Optionally, you can check if the difference between the current timestamp and the extracted timestamp is within your tolerance.