Receiving Notifications

In order to increase the security aspect, there are several ways to ensure that the notifications received by Merchant backend, are actually sent by Midtrans.

Signature Key

Midtrans adds a Signature Key in every notification. Signature Key is another option to verify the integrity of notification. The logic of the Signature Key and the sample code to generate the Signature Key are given on the side. If the generated Signature Key does not match with the Signature Key on the notification, ignore the notification.

  $orderId = "1111";
  $statusCode = "200";
  $grossAmount = "100000.00";
  $serverKey = "askvnoibnosifnboseofinbofinfgbiufglnbfg";
  $input = $orderId.$statusCode.$grossAmount.$serverKey;
  $signature = openssl_digest($input, 'sha512');
  echo "INPUT: " , $input."<br/>";
  echo "SIGNATURE: " , $signature;
Notification Typesignature_fields
Transaction notificationorder_id + status_code + gross_amount + merchant_server_key
Pay Account notificationaccount_id + account_status + status_code + merchant_server_key

Challenge Response

This is an additional method to verify the authenticity of the notification. It can be achieved by calling the get status API for Transaction notification or get account status for Pay Account notification. The response is the similar as the notification status.