Webhook Common Rules
For Security Purpose, Binance will add signature for webhook notification. Partner needs to verify the signature using the public key issued from Binance Pay.
The following specifies the rules for calling the Webhook Notification from Binance payment.
|Transfer Mode||Use HTTPS for secure transactions.|
|Submit Mode||POST/GET, depends on the API.|
|Data Format||Data submitted and response are both in application/json format.|
|Char Encoding||Use UTF-8 character encoding.|
|Signature Algorithm||RSA, asymmetric cryptographic algorithm|
|Signature Requirement||Signature-checking is required for requesting and receiving data.|
|Logic Judgment||Determine protocol field, service field and transaction status.|
|BinancePay-Certificate-SN||long||Y||-||MD5 hash value of public key|
|BinancePay-Nonce||string||Y||must be 32 digits||A random string with 32 bytes, e.g. random ascii decimal within a-z and A-Z and loop 32 times to form a random string|
|BinancePay-Timestamp||string||Y||-||UnixTimestamp in milliseconds|
|BinancePay-Signature||string||Y||-||signature, generated by Binance Pay|
#Verify the Signature
#Build the payload
- ‘\n’ is LF, ASCII value is '0x0A'
#Decode the Signature with Base64
#Verify the content with public key
- Hash algorithm should use SHA256
Sample Java code is here, together with org.bouncycastle toolkit.