In order to increase the security aspect, there are several ways to ensure that the notifications received by Merchant backend, are actually sent by Midtrans.
Signature Key
Midtrans adds a Signature Key in every notification. Signature Key is another option to verify the integrity of notification. The logic of the Signature Key and the sample code to generate the Signature Key are given on the side. If the generated Signature Key does not match with the Signature Key on the notification, ignore the notification.
SHA512(signature_fields)
<?php
$orderId = "1111";
$statusCode = "200";
$grossAmount = "100000.00";
$serverKey = "askvnoibnosifnboseofinbofinfgbiufglnbfg";
$input = $orderId.$statusCode.$grossAmount.$serverKey;
$signature = openssl_digest($input, 'sha512');
echo "INPUT: " , $input."<br/>";
echo "SIGNATURE: " , $signature;
?>
| Notification Type | signature_fields |
|---|---|
| Transaction notification | order_id + status_code + gross_amount + merchant_server_key |
| Pay Account notification | account_id + account_status + status_code + merchant_server_key |
Push Notification and Get Status
This is an additional method to verify the authenticity of the notification. It can be achieved by calling the get status API for Transaction notification or get account status for Pay Account notification. The response is the similar as the notification status.
