I'll have to check with our development team but it does appear to use our public key and some type of base 64 encoding but I'll have to see whether the method is something that can be divulged.
What is the official way to validate a webhook? Could not find any info on that anywhere...
I also tried to get the event using the API: https://api-cert.payeezy.com/v1/events/{id}
But this method returns 'Not found' at the time of webhook and only after about one minute of retries the event is found.
Can you provide the property name and the value supplied in the event object?
Or the correlation ID in question?
Here is the whole webhook data:
{
eventID: 8a34e7646001601e01602b3e67de0ed3,
eventName: TRANSACTION_STATUS,
eventTime: Dec 6, 2017 4:53:18 AM,
payload: {
amount: 100,
correlation_id: 228.1255399735350,
currency: USD,
ref_data: PB17124004T71,
signature: MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIIFPTCCBCWgAwIBAgIQATRWDbb3ZHCeCCM+33x8xTANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQxMDAxMDAwMDAwWhcNMTYxMDAxMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExEDAOBgNVBAcUB0F0bGFudGExHzAdBgNVBAoUFkZpcnN0IERhdGEgQ29ycG9yYXRpb24xEDAOBgNVBAsUB1BheWVlenkxIjAgBgNVBAMUGXNlcnZpY2VzLWNlcnQucGF5ZWV6eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCHFMBy5/AetBP/fTpEGqezgB/KNCl9Dzc8dL5i7txPFPzmaw2SzzaiOMxc4mKQCvu+LkARHxAxmG+KOlaEVIajL0ti15EuL2YlcYMXaCWJ+sjSMtq46KSUH/zJROosK+FeXFTgCmWRMsME0ulJA2oPaw+uNAOZUjIxWlahu6KmLlJkmPwohqu3JaKyg57WVkkwHKX0ZEe3BZcghX7+3NTJSd5Xh0vytpoOyrCgqQ94Cm3Wika+kuIQ3ENIYKmfAAvZW3cqJO5jFMQkYOkwZdIvSDpuWDdL5S3tVjzIgFCYwFp/+vIlICOoOHXslmRBDMDCk18j2OKdGTyA8LM/6RtAgMBAAGjggFyMIIBbjAkBg {clipped},
status: approved,
transaction_id: ET142226,
transaction_tag: 2233358591,
transaction_time: ********,
transaction_type: capture
}
}
I'll have to check with our development team but it does appear to use our public key and some type of base 64 encoding but I'll have to see whether the method is something that can be divulged.
Thank You!
What other, recommended, options do I have, to validate the webhook?
It would be unwise to trust the webhook data, without any validation.
What is the official way to validate a webhook? Could not find any info on that anywhere...
I also tried to get the event using the API:
https://api-cert.payeezy.com/v1/events/{id}
But this method returns 'Not found' at the time of webhook and only after about one minute of retries the event is found.