For security reasons (authenticity, integrity), every transmitted notification is provided with a signature.
This signature is calculated both on the side of the service recipient (PAYONE) and on the side of the service provider (notification recipient). Requests should only be processed technically by the service provider if the calculated signature based on the request content corresponds to the signature provided by the service recipient.
The signature is created based on the 'string-to-sign' and the 'secret' using the function HMAC-SHA-512 [RFC 2104]
The 'secret' is never transmitted in the communication, but is kept at the respective participant. An SHA512 hash of the PortalKey is used as the secret.
The following values are included to determine the string-to-sign:
Unique request-ID from the HTTP-Header.
SHA512-Hash des Request Body
SHA512 Hash without salt of the request body.
From the above-mentioned parameters, the string-to-sign is created in the order given above. For this, the values are concatenated separated by the separator ":".
The signature is transmitted by the service recipient - in addition to the unique technical request ID (X-Request ID) required to create the signature on the recipient side - in the http header field X-Auth-Code.