OPay Callback Notification Signature
Whenever the status of any of your transaction has been updated, e.g. a reference code payment has been paid, OPay
will keep you informed at your designated callBackUrl. Since anyone can get hold of your
endpoint and attempt to send you phony event objects for malicious purposes
(e.g. to see if they can mark their subscription to your product as renewed just in case
you aren't running any verifications on the transaction reference),
it is important to verify that callbacks originate from OPay.
You can do any or both of the below to verify callbacks from OPay:
- Watch the IPs and accept callbacks only from our IPs.
- Validate the Signature as described in the section that follows.
In this page, you will learn:
- How to calculate the signature of the received callback.
- How to validate OPay callback signature.
Callback Signature
Header contains the "Signature" , "MerchantId" and "RequestTimestamp"
Signature is calculated using SHA-512 HMAC signed with your Private Key for the concatenation of request timestamp and request body:
See API Calls Signature v2 section for more details.
Callback Request
-Request Parameters:
- Header: Authorization(API Calls Signature v2), MerchantId and RequestTimestamp
- Json object containing the transaction information:
Authorization: {signature}
MerchantId : 256612345678901
RequestTimestamp : 1631106688000
{
"amount":{
"currency":"EGP",
"total":400
},
"country":"EG",
"failureCode":"01582",
"failureReason":"Invalid CVV/CVC.",
"notifyId":"68d9b42c1e694ebc921af92b76804d23",
"orderNo":"211005140885652282",
"reference":"92631092",
"status":"FAIL",
"timestamp":1633411815591,
"type":"MACQUIRING_CALLBACK"
"extras":{}
}
HTTP POST Parameters
-Here is a detailed description for the parameters you need to complete the POST request:
