For security reasons (authenticity, integrity), every transmitted notification is provided with a signature. 

This signature is calculated both on the side of the service recipient (PAYONE) and on the side of the service provider (notification recipient). Requests should only be processed technically by the service provider if the calculated signature based on the request content corresponds to the signature provided by the service recipient.

Structure of the Signature

The signature is created based on the 'string-to-sign' and the 'secret' using the function HMAC-SHA-512 [RFC 2104]

The 'secret' is never transmitted in the communication, but is kept at the respective participant. An SHA512 hash of the PortalKey is used as the secret.

Determination of the 'string-to-sign'

The following values are included to determine the string-to-sign:

parameter format description

Unique request-ID from the HTTP-Header.

example: 67e96638-8295-41ad-894d-914900461f26

SHA512-Hash des Request Body

SHA512 Hash without salt of the request body.

example: B5AB92007F8FC0F2BE26919EE9064C6268767D67DBDA1E6


From the above-mentioned parameters, the string-to-sign is created in the order given above. For this, the values are concatenated separated by the separator ":".

Example 'string-to-sign':



Transmission of the Signature

The signature is transmitted by the service recipient - in addition to the unique technical request ID (X-Request ID) required to create the signature on the recipient side - in the http header field X-Auth-Code.



function verifyNotificationSignature(Request $request): bool
        $stringToSign = $request->getHeaderLine('X-Request-ID') . ':' . hash('sha512', trim($request->getBody()), false);
    $key = hash('sha512', $_ENV['PORTAL_KEY'], false);
    $signature = hash_hmac('sha512', $stringToSign, $key);
    return hash_equals($signature, $request->getHeaderLine('X-Auth-Code'));