Table of contents
Overview
After providing a callback page, the next step is to verify that the callback response is from Zuora.
Verifying the Callback Response
When Zuora sends a response to the merchant's callback URL, Zuora attaches a signature to the response. Here is an example of how a full callback URL would look (note carriage returns were added to make it easier to read):
http://your-domain.com/callback.jsp?
id=4028e697325f8e970132603326446b33&
tenantId=10514timestamp=1316846058955&
token=7av18bEz97Jrq9K6z0QPyvJpIqIxSmZc&
responseSignature=ODU2ODMyZmY5YmFjNDQzZDQ4NmU2MDg3ODNkN zhlNTc=
success=true&
refId=4028e4862ba3fcae012bad2c19e115b4
To verify the responseSignature:
- Create a query string using the four security parameters (id, tenantId, timestamp, token), and append the API Security Key. Using the example above (and the API Security Key used from the Generating the URL section), the follwing query string to be signed would look this:
id=4028e697325f8e970132603326446b33&tenantId=10514×tamp=1316846058955&token=7av18bEz97Jrq9K6z0QPyvJpIqIxSmZcPEq1yiahIyFO6XxpyuCWyLoG4ym_HAklH2-FfAisLuk=
- Create a signature using the same steps from the Generating the URL section.
- Compare the outcome with the responseSignature parameter that was sent to you in the original query string. If they differ, do not trust the callback.
- Compare the timestamp parameter from the query string with the current time (in UTC format). If they differ by more than 300 seconds, do not trust the callback.
What's Next
Next, learn about Using Z-Payment Page with Zuora.
Comments