API
Skip to main content

Request Authentication

The following header is sent in the HTTP request to allow verification of its integrity and authenticity:

PayPay-Signature: hash=14d06cc11e0479c2ffe138d963462bc0f0ad94e8e006cf4f1f494c5e30bd1830,ts=1615826436

The header consists of the signature hash and the timestamp ts. To verify if the request is valid, the following hash must match the hash in the header:

hash_hmac("SHA256", [payload] + [ts], [Password/Private Key])
Example of a PHP function for signature validation 
private function has_valid_signature( $private_key ) {
    if (!isset($_SERVER['HTTP_PAYPAY_SIGNATURE'])) {
        return false;
    }

    $body = file_get_contents('php://input');

    $signature = str_replace(',', '&', $_SERVER['HTTP_PAYPAY_SIGNATURE']);

    parse_str($signature, $output);

    return (int) ($output['ts'] ) > (time() - 1800 ) &&
        hash_equals($output['hash'], hash_hmac('sha256', $body . $output['ts'], $private_key));
}