Steps for Signature Verification

  1. Extract Signature: Extract the signature from the subscription data.
  2. Extract Data: Extract the relevant data fields from the subscription data.
  3. Recreate Message: Recreate the message by concatenating the extracted data fields.
  4. Compute Signature: Compute the signature using the same algorithm and secret key used for generating the original signature.
  5. Compare Signatures: Compare the extracted signature with the computed signature.
  6. Verification: If the two signatures match, the subscription data is considered valid. Otherwise, it may have been tampered with.

Example Code (Python)

import (

type RequestObj struct {
    Amount string
    ClientKey string
    Currency string
    Frequency string
    MerchantOrderRef string

func GenerateSignature(requestObj RequestObj, secretKey string) string {
    params := make(url.Values)
    params.Add("amount", requestObj.Amount)
    params.Add("client_key", requestObj.ClientKey)
    params.Add("currency", requestObj.Currency)
    params.Add("frequency", requestObj.Frequency)
    params.Add("merchant_order_ref", requestObj.MerchantOrderRef)

    data := params.Encode()

    secret := []byte(secretKey)
    message := []byte(data)

    hash := hmac.New(sha256.New, secret)

    // to base64
    hash_value := base64.StdEncoding.EncodeToString(hash.Sum(nil))
    return hash_value