In order to increase security aspect, there are several ways to ensure notification received from Iris.
Signature Key
signature = OpenSSL::Digest::SHA512.new(payload + merchant_key).to_s
We add signature key information in our notification. The purpose of this signature key is to validate whether the notification is originated from Midtrans or not. Should the notification is not genuine, merchants can disregard the notification. We send the signature key via Header Iris-Signature.
Challenge Response
An additional mechanism we provide to verify the content and the origin of the notification is to challenge. This can be achieved by calling the Payout Details API.