Webhook Validation & Request Integrity

You can confirm the integrity of the webhooks we send to notify you of transaction progress using the same digital signature endpoint.

We send the webhook along with a signature field.

You can then sign the webhook (excluding the signature) with the digital signature endpoint and compare the signature value received from the endpoint with the signature value on the webhook sent; if they are different it means the body has been tampered with and the webhook should be discarded.

Digital Signature

The digital signature endpoint is used to sign request, and confirm data integrity (validate webhooks or callbacks)

In order to create a collection request the request first has to be signed at the digital signature endpoint. This allows us to confirm the integrity of the request reaching us before we process it.

Another transactions that has to be signed before posting is payout request.

How request are signed

Request are signed by posting them to the following endpoint and signing them with the approriate credentials

Collection Orders

Collection orders are signed with merchant and partner secret concatenated

Payout Orders

request are only signed with the merchant secrete keys.

Digital Signature

POST https://exchanger-api.fuspay.finance/api/v1/no-auth/PartnerP2P/SignRequestSha512/

The object is signed without including the signature field. Also sign exactly the fields that would be posted to the transaction endpoint (Collection or payout)

Please make sure we have whitelisted all your IPs

Headers

Request Body

Sample code for collection

const request = require('request');


const options = {
  method: 'POST',
  url: 'https://exchanger-api.fuspay.finance/api/v1/no-auth/PartnerP2P/SignRequestSha512',
  headers: {'Content-Type': 'application/json'},
  body: {
    partner_order_id: 'FUSPAY-00400-001-091-008',
    amount_to_collect: '30',
    timestamp: 1693285902419,
    order_expiration: 1693285902419,
    intrapay_merchant_id: "",
    partner_id: ""
    currency: 'NGN',
    partner_callback_url: 'https://webhook.site/xxxxxxxx',
    partner_redirect_url: 'https://google.com',
    secret: '4LJDHGA-SJTECNA-XXXX-XXXXsk_partner_ph25sjy-qtfeoxy-rqbvzyq-z-xx'
  },
  json: true
};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

You can confirm the integrity of the webhooks we send to notify you of transaction progress using the same digital signature endpoint.

We send the webhook along with a signature field.

You can then sign the webhook (excluding the signature) with the digital signature endpoint and compare the signature value received from the endpoint with the signature value on the webhook sent; if they are different it means the body has been tampered with and the webhook should be discarded.

Digital Signature

POST https://exchanger-api.fuspay.finance/api/v1/no-auth/PartnerP2P/SignRequestSha512/

The object is signed without including the signature field. Also sign exactly the fields that would be posted to the transaction endpoint (Collection or payout)

Please make sure we have whitelisted all your IPs

Headers

Request Body

Sample code for collection

const request = require('request');


const options = {
  method: 'POST',
  url: 'https://exchanger-api.fuspay.finance/api/v1/no-auth/PartnerP2P/SignRequestSha512',
  headers: {'Content-Type': 'application/json'},
  body: {
    partner_order_id: 'FUSPAY-00400-001-091-008',
    amount_to_collect: '30',
    timestamp: 1693285902419,
    order_expiration: 1693285902419,
    intrapay_merchant_id: "",
    partner_id: ""
    currency: 'NGN',
    partner_callback_url: 'https://webhook.site/xxxxxxxx',
    partner_redirect_url: 'https://google.com',
    secret: '4LJDHGA-SJTECNA-XXXX-XXXXsk_partner_ph25sjy-qtfeoxy-rqbvzyq-z-xx'
  },
  json: true
};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});