Verifying Webhooks
This is a guide to show how you're expected to confirm that a webhook comes from Credo Central, this is to prevent malicious actors from sending inappropriate data to your webhook endpoint.
Verifying signatures & Constructing the signed content
It is very important to verify that webhooks originate from Credo central.
Each webhook call includes an X-Signature header which is a SHA512 encoded value.
The content to sign is composed by concatenating the Token and Business_code. In code, it will look something like:
const signedContent = "${Token}${Business_code}"
Webhook Structure Format
{
"event": "transaction.successful",
"data": {
"businessCode": "700607002190001",
"transRef": "cI9H00N2AB02Qb0s69Mj",
"businessRef": "PL1683423455304ATm",
"debitedAmount": 1000.0,
"transAmount": 1000.0,
"transFeeAmount": 15.0,
"settlementAmount": 985.0,
"customerId": "larrie4christ@gmail.com",
"transactionDate": "May 7, 2023, 1:37:53 AM",
"channelId": 1,
"currencyCode": "NGN",
"status": 0,
"paymentMethodType": "MasterCard",
"paymentMethod": "Card",
"customer": {
"customerEmail": "john.wick@yahoo.com",
"firstName": "John",
"lastName": "Wick",
"phoneNo": "23470122199999"
}
}
}
Important: Where event is transaction.settlement.success, empty values would be passed in the Customer object.