Custom Payment Processor — Signature Verification Algorithm

API General
1

I am building a custom payment processor integration with SBPay.me for my SimplyBook.me account (company login: illuminall).

I am receiving the POST callback correctly and can see all the fields including the signature. However, I cannot reproduce the correct HMAC SHA256 signature on my end to verify the request.

I have tried two approaches:

  1. Stripping the signature field from the raw URL-encoded POST body and computing HMAC SHA256 of the remainder using my Secret key
  2. Parsing all fields except signature into an array, sorting alphabetically, rebuilding as a query string, and computing HMAC SHA256 of that

Neither approach produces a signature that matches the one SBPay.me sends.

Could you please tell me exactly:

  1. What string is used as the input to the HMAC SHA256 function when generating the signature?
  2. Is the input the raw URL-encoded POST body, a decoded string, a JSON string, or something else?
  3. Are any fields excluded from the signature besides the signature field itself?
  4. Is the Secret key used as-is, or does it need to be decoded first?

Many thanks,
Mick

3

@dmytro_bondarev if it will help, I can send you my code (anonymised for security obviously). Let me know.

4

Thanks — this has been resolved on our end. We were joining field values with pipes (implode(‘|’, $values)) which matches the SDK. No further action needed on this ticket.

5

Hi, it is raw body request.

You can see example here: