Signature generation algorithm in callback request body

When transaction statuses are updated, a request with the following body is sent to your specified endpoint. Example:

{
    "transaction_uid": "583de7f8-2ced-41d8-acc5-5f559e997748",
    "amount": 100,
    "status": "Created",
    "currency_id": "TRY",
    "external_id": "gat 14",
    "comment": "invoice",
    "recalculated": false,
    "updated_at": "2023-07-07T06:07:03.098+00:00",
    "type": "invoice",
    "sign": "a5c58b3a2f9ece478c14f4d7596ba8482bf7923250b2cfea90e774cf0268c5f9"
}

To generate a string identical to the value of the sign field, first take the request body without the sign field. Example:

{
 "transaction_uid": "583de7f8-2ced-41d8-acc5-5f559e997748",
 "amount": 100,
 "status": "Created",
 "currency_id": "TRY",
 "external_id": "gat 14",
 "comment": "invoice",
 "recalculated": false,
 "updated_at": "2023-07-07T06:07:03.098+00:00",
 "type": "invoice"
}

Then sort the object properties alphabetically. Example:

{
  "amount": 100,
  "comment": "invoice",
  "currency_id": "TRY",
  "external_id": "gat 14",
  "recalculated": false,
  "status": "Created",
  "transaction_uid": "583de7f8-2ced-41d8-acc5-5f559e997748",
  "type": "invoice",
  "updated_at": "2023-07-07T06:07:03.098+00:00"
}

Next, remove all key names and convert the object to a string, joining the values with a colon ":" delimiter. Example:

100:invoice:TRY:gat 14:false:Created:583de7f8-2ced-41d8-acc5-5f559e997748:invoice:2023-07-07T06:07:03.098+00:00

warning

If any property, for example comment, was null instead of "invoice", then the string would look like this:

100::TRY:gat 14:false:Created:583de7f8-2ced-41d8-acc5-5f559e997748::2023-07-07T06:07:03.098+00:00

and not like this:

100:null:TRY:gat 14:false:Created:583de7f8-2ced-41d8-acc5-5f559e997748::2023-07-07T06:07:03.098+00:00

Then encode the resulting string using the HMAC SHA256 algorithm with your unique `secret_key` (If you haven't received it, please request it from support). For example, in our case: `secret_key=d2d39fbc327d53ade165047eb86f289b1f4b0b5a1bc644bd165592fa6e297c22`. Example signature generation code in JavaScript (Node.js) (where `input` is the object from step 2 without the `sign` field):

import {createHmac} from 'crypto';

const signString = Object.entries(input).sort().map((v) => v[1]).join(':');
const signature = createHmac('sha256', secret_key).update(signString).digest('hex');

in our case:

signature = a5c58b3a2f9ece478c14f4d7596ba8482bf7923250b2cfea90e774cf0268c5f9

Finally, compare the generated string with the `sign` value from the original object. If they match, the signature is valid. You can verify it using online tools such as hmac-sha256-online.

Signature generation algorithm in callback request body

When transaction statuses are updated, a request with the following body is sent to your specified endpoint. Example:

Next, remove all key names and convert the object to a string, joining the values with a colon ":" delimiter. Example:

Finally, compare the generated string with the sign value from the original object. If they match, the signature is valid. You can verify it using online tools such as hmac-sha256-online.

Finally, compare the generated string with the `sign` value from the original object. If they match, the signature is valid. You can verify it using online tools such as hmac-sha256-online.