Skip to main content

Verify signature

The MONEI-Signature header included in each signed request contains a timestamp and one or more signatures. The timestamp is prefixed by t=, and each signature is prefixed by a scheme. Schemes start with v, followed by an integer. Currently, the only valid live signature scheme is v1.

MONEI-Signature: t=1492774577,v1=5257a869e7ecebeda32affa62cdca3fa51cad7e77a0e56ff536d0ce8e108d8bd

MONEI generates signatures using a hash-based message authentication code (HMAC) with SHA-256. To prevent downgrade attacks, you should ignore all schemes that are not v1.

Verifying signatures using our official libraries#

Use one of our official libraries to verify signatures. You perform the verification by providing the request payload and the MONEI-Signature header. If verification fails, MONEI returns an error.

server.js
const {Monei} = require('@monei-js/node-sdk');
// Set your api key. Remember to switch to your live api key in production!
// See your api key here: https://dashboard.monei.com/settings/api
const monei = new Monei('pk_test_36cf3e8a15eff3f5be983562ea6b13ec');
// This example uses Express to receive webhooks
const app = require('express')();
// Use body-parser to retrieve the raw body as a buffer
const bodyParser = require('body-parser');
// Match the raw body to content type application/json
app.post('/webhook', bodyParser.raw({type: 'application/json'}), (request, response) => {
const signature = request.headers['MONEI-Signature'];
let payload;
try {
payload = monei.verifySignature(request.body, signature);
} catch (err) {
response.status(400).send(`Webhook Error: ${err.message}`);
}
console.log('Payload', payload);
// Return a response to acknowledge receipt of the event
response.sendStatus(200);
});
app.listen(3000, () => console.log('Running on port 3000'));

Verifying signatures manually#

Step 1: Extract the timestamp and the signature from the header#

Split the header, using the , character as the separator, to get a list of elements. Then split each element, using the = character as the separator, to get a prefix and value pair.

The value for the prefix t corresponds to the timestamp, and v1 corresponds to the signature (or signatures). You can discard all other elements.

Step 2: Prepare the signed_payload string#

The signed_payload string is created by concatenating:

  • The timestamp (as a string)
  • The character .
  • The actual JSON payload (i.e., the request body)

Step 3: Determine the expected signature#

Compute an HMAC with the SHA256 hash function. Use your account’s API Key as the key, and use the signed_payload string as the message.

You can get your accounts password in MONEI Dashboard → Settings → API.

Step 4: Compare the signatures#

Compare the signature in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.

To protect against timing attacks, use a constant-time string comparison to compare the expected signature to the received signature.