Webhook Common Rules

For Security Purpose, Binance will add signature for webhook notification. Partner need to verify the signature using the public key issued from Binance Pay.

Protocol Rules#

The following specifies the rules for calling the Webhook Notification from Binance payment.

RuleDescription
Transfer ModeUse HTTPS for secure transactions.
Submit ModePOST/GET, depends on the API.
Data FormatData submitted and response are both in application/json format.
Char EncodingUse UTF-8 character encoding.
Signature AlgorithmHMAC-SHA512.
Signature RequirementSignature-checking is required for requesting and receiving data.
Logic JudgmentDetermine protocol field, service field and transaction status.

Request Header#

AttributesTypeRequiredLimitationDescription
certlongY-MD5 hash value of public key
noncestringYmust be 32 digitsA random string with 32 bytes, e.g. random ascii decimal within a-z and A-Z and loop 32 times to form a random string
timestampstringY-time stamp in millis
signaturestringY-signature, verify signature generation

Verify the Signature#

Build the content#

String payload = timestamp + "\n" + nonce + "\n" + body + "\n";

Sign the content with public key#

String signature = hex(hmac("sha512", payload, publicKey)).toUpperCase();
compare signature with header.signature

Note:

  • โ€˜\nโ€™ is LF, ASCII value is '0x0A'
  • Parameter names are case-sensitive;
  • When checking returned data or a push notification signature, the transferred sign parameter is excluded in this signature as it is compared with the created signature.