- payment_succeeded- payment_canceled
Webhook requests are sent as HTTP POST with a JSON body.
{
"event": "payment_succeeded",
"payload": {
"id": "e469456c-0a53-4c31-bb43-d77ab197f94a",
"type": "purchase",
"paymentMethod": "birbank",
"status": "succeeded"
}
}Each webhook request contains an X-Signature header. The signature is generated using the request payload and a shared secret key with the HmacSHA256 algorithm and encoded with Base64.
private static final String HMAC_SHA_256 = "HmacSHA256";
public boolean isValid(String payload, String signature, String sentSignature) {
try {
Mac mac = Mac.getInstance(HMAC_SHA_256);
SecretKeySpec secretKeySpec =
new SecretKeySpec(signature.getBytes(StandardCharsets.UTF_8), HMAC_SHA_256);
mac.init(secretKeySpec);
byte[] hash = mac.doFinal(payload.getBytes(StandardCharsets.UTF_8));
String generatedSignature = Base64.getEncoder().encodeToString(hash);
return generatedSignature.equals(sentSignature);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
return false;
}
}