Skip to main content

Verify the Callback Response

Zuora

Verify the Callback Response

This article is for the Hosted Payment Method Pages (HPM) 1.0. Zuora has deprecated HPM1.0. There are no further plans for HPM 1.0 and Zuora will no longer provide support for any issues with HPM 1.0. Payment Pages 2.0 are now generally available, and are a replacement for HPM 1.0. To migrate from HPM 1.0 to Payment Pages 2.0, see this migration guide.

Overview

After providing a callback page, the next step is to verify that the callback response is actually coming from Zuora. 

Verify the Callback Response

When Zuora sends a response to the merchant's callback URL, Zuora attaches a signature to the response.  Here is an example of a full callback URL:

http://yourdomain.com/yourapp/zuora_callback.php?id=4028e697325f8e970132603326446b33&tenantId=10514
timestamp=1316846058955&token=7av18bEz97Jrq9K6z0QPyvJpIqIxSmZc&responseSignature=ODU2ODMyZmY5YmFjNDQzZDQ4NmU2MDg3ODNkNzhlNTc=&success=true&refId=4028e4862ba3fcae012bad2c19e115b4&field_passthrough1=Capture&field_passthrough2=Step2

To verify the responseSignature

  1. Create a signature using the steps from the Generate the Signature for the Hosted Payment Method page.
  2. Compare the outcome with the responseSignature parameter that was sent to you in the original query string. If they differ, do not trust the callback.
  3. Compare the timestamp parameter from the query string with the current time (in UTC format). If they differ by more than 300 seconds, do not trust the callback.

What's Next

Next, learn about using hosted payment method pages with Zuora.