Webhooks Checksum

As an additional security layer to our system, you can now validate that a webhook call originates from Spendjuice.

We have added a checksum attribute to every webhook payload:

{
  "checksum": "32762AE880695AE7343A649CB9C36CA6FF83AA258A139804AEF7D73B421DE097",
  "data": {
    "card_id": "81817411-9ffd-42ba-8bc8-f407b5cef9d9",
    "amount": 1000,
    "reference": "b070b0d2-e394-4783-a6f0-f10ccb3cae89",
    "currency": "USD"
  },
  "event" => "card.transaction"
}

The checksum is calculated using this format, event|json_encoded_data.

Using the above example payload:

card.transaction|{\"amount\":1000,\"card_id\":\"81817411-9ffd-42ba-8bc8-f407b5cef9d9\",\"currency\":\"USD\",\"reference\":\"b070b0d2-e394-4783-a6f0-f10ccb3cae89\"}

🚧

Warning

The encoded data should exclude the checksum attribute and should be in alphabetical order.
The checksum validation will fail if the encoded data is rendered in a wrong order. See example:

{\"currency\":\"USD\",\"amount\":1000,\"card_id\":\"81817411-9ffd-42ba-8bc8-f407b5cef9d9\",\"reference\":\"b070b0d2-e394-4783-a6f0-f10ccb3cae89\"}

Notice: The encoded data is same, but the order in which the string is generated is not alphabetical. This checksum validation will fail.

We then create an HMAC SHA-256 hex-encoded hash, using the id of the integrator that we are sending the request to, as the hash key.
In order to validate the checksum, you will need to repeat the operation on your system, using your id as the key.
✅ If the two checksums agree, you can be certain that the request originated from SpendJuice's system.