After providing a callback page, the next step is to verify that the callback response is actually coming from Zuora.
Verify the Callback Response
When Zuora sends a response to the merchant's callback URL, Zuora attaches a signature to the response. Here is an example of a full callback URL:
To verify the responseSignature:
- Create a signature using the steps from the Generate the Signature for the Hosted Payment Method page.
- Compare the outcome with the
responseSignatureparameter that was sent to you in the original query string. If they differ, do not trust the callback.
- Compare the timestamp parameter from the query string with the current time (in UTC format). If they differ by more than 300 seconds, do not trust the callback.
Next, learn about using hosted payment method pages with Zuora.