Verifying the SOAP header in the response

To make sure that the response comes from the payment gateway, you can check the value of the received authentication token.

To do this, compute the authentication token one more time:

  1. Retrieve the values of shopId, timestamp, requestId, mode and authToken in the SOAP header of the response.
  2. Concatenate the timestamp and requestId attributes without a separator.
    Warning: the order of the attributes will be opposite to that in the query.

    Example of concatenation with:

    • timestamp = 2014-10-31T16:38:19Z
    • requestId = 04967dae-af01-43ff-a7d8-f3f228b9b1c2
  3. Apply the HMAC_SHA256 algorithm to the obtained string using the value of the test or production key (depending on the value of mode) as shared key.
  4. Encode the result in Base64.
  5. Compare the value of authToken situated in the SOAP HEADER with the value you have calculated.

If the values differ, the merchant analyses the error source (error of computation, fraud, etc.).

Note: the requestId transmitted in the header of the response will be identical to the one transmitted in the query by the merchant website.