MONEI-Signature header included in each signed request contains a timestamp and one or more signatures. The timestamp is prefixed by
t=, and each signature is prefixed by a scheme. Schemes start with
v, followed by an integer. Currently, the only valid live signature scheme is
Verifying signatures manually
Step 1: Extract the timestamp and the signature from the header
Split the header, using the
, character as the separator, to get a list of elements. Then split each element, using the
= character as the separator, to get a prefix and value pair.
The value for the prefix
t corresponds to the timestamp, and
v1 corresponds to the signature (or signatures). You can discard all other elements.
Step 2: Prepare the
signed_payload string is created by concatenating:
- The timestamp (as a string)
- The character
- The actual JSON payload (i.e., the request body)
Step 3: Determine the expected signature
Compute an HMAC with the SHA256 hash function. Use your account’s API Key as the key, and use the
signed_payload string as the message.
You can get your accounts password in MONEI Dashboard → Settings → API.
Step 4: Compare the signatures
Compare the signature in the header to the expected signature. For an equality match, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.
To protect against timing attacks, use a constant-time string comparison to compare the expected signature to the received signature.