Verify webhook signature, wrong documentation?

ppazos
Contributor
Contributor

I'm testing webhooks, triggered some events with the simulator and got this header:

 

   [PAYPAL-TRANSMISSION-SIG] => KOhSYOtSdtTDuflM2vTBzfwWdh3YvQRS7dSekbEi1wRML/qW+cJ/+wcvtz1KRtf2jHeiLgaZ6IQ1/0z+hueEga9Q7fWHelUdfRoEKzjenfMKUcqPtN87y7knkVig4vbAz+yoTxCCE8wi030MWk2WBvG/U7Zl1IdMs0j9KKPo/lVUZXXvKYb6xwcF5AztOZFeZUwvPeD8yHn2yohRJzkazkSq32mB/LDatUaKTTqh+HH0rUXXh+ApM7aQxiMA6OrmeHmnq05Vh39PlqmHNGofr9Cs4SyKiu4v/M5gkbtXtcINmbg7TYTyCl9LaA98Majl30TwRFXnHT+a9X8hASFWnw==

 

The documentation (https://developer.paypal.com/docs/integration/direct/webhooks/notification-messages/#event-headers) says that the signature is a concatenation of fields using pipe "|" as a separator. But I don't see any pipes in the signature I received.

 

Any ideas on how to verify the signature I received from the simulator?

Login to Me Too
1 REPLY 1

angelleye
Advisor
Advisor
I haven't done much with Webhooks yet, but upon quickly skimming the doc you linked I think you're missing a step.

The value you're seeing is an encrypted value. In order to generate that same value and compare you need to create the pipe "|" separated string and then run it through the same encryption algorithm, which they're specifying in the PAYPAL-AUTH-ALGO header. Once you have the encrypted string you can compare that to PayPal's string and if they match then it validates.

Again, though, I just quickly reviewed this so I'm not 100% sure, but that's what it looks like to me at this point. Hope that helps.

Angell EYE - www.angelleye.com
PayPal Partner and Certified Developer - Kudos are Greatly Appreciated!
Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.