In order to increase the security aspect, there are several ways to ensure that the notifications received by Merchant backend, are actually sent by Midtrans.

Signature Key

Midtrans adds a Signature Key in every notification. Signature Key is another option to verify the integrity of notification. The logic of the Signature Key and the sample code to generate the Signature Key are given on the side. If the generated Signature Key does not match with the Signature Key on the notification, ignore the notification.

SHA512(signature_fields)

<?php
  $orderId = "1111";
  $statusCode = "200";
  $grossAmount = "100000.00";
  $serverKey = "askvnoibnosifnboseofinbofinfgbiufglnbfg";
  $input = $orderId.$statusCode.$grossAmount.$serverKey;
  $signature = openssl_digest($input, 'sha512');
  echo "INPUT: " , $input."<br/>";
  echo "SIGNATURE: " , $signature;
  ?>

Notification Type	signature_fields
Transaction notification	order_id + status_code + gross_amount + merchant_server_key
Pay Account notification	account_id + account_status + status_code + merchant_server_key

Push Notification and Get Status

This is an additional method to verify the authenticity of the notification. It can be achieved by calling the get status API for Transaction notification or get account status for Pay Account notification. The response is the similar as the notification status.