HMAC-SHA Signature

We recommend that you check the authenticity of the postback message by verifying its HMAC-SHA256 signature. ATLOS signs each message using your API secret. You can view your API secret in Merchant Panel under Settings. We pass the HMAC signature in the Signature header of the POST request.

JavaScript Example

var crypto = require('crypto');

function verifySignature(api_secret, signature, message_data) {
  var hmac = crypto.createHmac('sha256', api_secret);
  hmac.write(message_data);
  hmac.end()
  var message_signature = hmac.read().toString('base64');

  return message_signature == signature;
}

A Note on Express

When using some frameworks, such as Express, that automatically parse POST requests and convert them into JSON format, you need to make sure to check the signature for the raw request, not for the converted JSON data. See a sample code for checking HMAC signature for Node.js with Express on our GitHub.

Alternatively, instead of checking the signature, you may verify that a payment was actually received by calling the Transaction/List API method.

JavaScript Example​

A Note on Express​

JavaScript Example

A Note on Express