Protecting your sensitive data
Checking a Webhook Signature
BlockATM signs the webhook events and requests we send to your endpoints. We do so by including a signature in each event’s BlockATM-Signature-V1 header and BlockATM-Request-Time. This allows you to validate that the events and requests were sent by BlockATM, not by a third party.
Before you can verify signatures for webhook events, you need to retrieve your publick key from BlockATM console.
BlockATM generates signatures using the ECDSA (Elliptic Curve Digital Signature Algorithm) encryption algorithm.
step 1
Concatenate all parameters from the JSON object in ascending order of their keys according to the ASCII character order, using the format "key=value" separated by "&"。Concatenate the 'BlockATM-Request-Time' from the request header in the format '&time=' at the end.
Here is an example of the signature parameters and the resulting signature:
{
"amount":"13.410037",
"chainId":"5",
"custNo":"OrderNO_123456",
"fee":"2",
"network":"TRON",
"platOrderNo":"8210000374",
"status":1,
"symbol":"USDT",
"txId":"1t",
"type":1
}
# you can get the time from request header BlockATM-Request-Time
# example of time: 1696946592054
#Concatenate the sorted parameters and time result:
amount=13.410037&chainId=5&custNo=OrderNO_123456&fee=2&network=TRON&platOrderNo=8210000374&status=1&symbol=USDT&txId=1t&type=1&time=1696947336603
# you can get the signature from request header BlockATM-Signature-V1
# example of signature :
MEYCIQDHxQ0IhgUNbRqTKbU71fBkp+lAJlMXEQYt6mDQfWRY7gIhAMWIpVoG6qBhgIPi30x30wLlAaxyhptZfm6nMRz75VxA
step 2
Proceed with signing the concatenated string Verify the signature's correctness using the SHA256withECDSA algorithm.
If the signature verification is successful, you can proceed with your business logic. Otherwise, please discard the message. Additionally, you can verify the timestamp of the message to ensure its validity.
You can leverage an open-source demo from GitHub to help you with the implementation.