Add an extra layer of security to your MarketPay notifications.
By default, Adyen notifications use mutual authentication over SSL in combination with basic authentication. You can optionally enable Hash-based Message Authentication Code (HMAC) signatures, which adds an extra layer of security to your Standard notifications.
An HMAC signature is calculated using a request's key-value pairs and a secret key, which is known only to you and the Adyen payments platform. By verifying this signature, you'll confirm that the notification was not modified during transmission.
Enable HMAC signatures
You can use any 32bit hexadecimal HMAC key you like. If you subscribe to payment notifications you can reuse the same key. For more information, see Signing notifications with HMAC.
If you generate a new HMAC key, your previous notifications will still be signed with your previous HMAC key.
Subscribe to notifications
Subscribe to notifications with a HMAC Signature Key to receive HMAC signed notifications to the URL you specify in the
/createNotificationConfiguration call. We activate the ACCOUNT_HOLDER_VERIFICATION notification and send it to the endpoint on your server ( using the specified connection credentials (testUserName and testPassword).
Verify HMAC signature
To verify the signature, retrieve the values of the
Protocol parameters from the HTTP header of the incoming notification.
HmacSignature contains the signature itself and
Protocol is the protocol used to create the signature (only SHA256 is supported).
To compute the HMAC signature, apply the algorithm/protocol to the whole HTTP body using the key. If the computed HMAC signature is equal to the one in the header, the verification is successful.
Perform this check before deserializing the request. If you perform deserialization before verifying, a valid signature may fail due to a different order of the JSON elements
HMAC signature examples
To calculate the HMAC signature for a MarketPay notification:
If the calculated
HmacSignature matches the value you received in the notification, the notification wasn't modified during transmission.
The following is an example of a header containing an HMAC signature: