Signature Verification

In addition to the header,webhook-hash when calling back, there's another header with the name,dusupay-signature and this is to help merchants trust that the callbacks originate from the DusuPay servers. Signature verification can be done with the following procedure;

  1. Retrieve the value of the dusupay-signature header.

  2. Form the string payload to be used in signature verification. This is obtained by concatenating values of the callback data in the format that follows id:internal_reference:transaction_status:callback_url where callback_url is the full URL as added to your merchant account settings. The other values are obtained from the callback data. e.g. assume the following is the callback data

    "id": 226,
    "request_amount": 10,
    "request_currency": "USD",
    "account_amount": 737.9934,
    "account_currency": "UGX",
    "transaction_fee": 21.4018,
    "total_credit": 716.5916,
    "customer_charged": false,
    "provider_id": "mtn_ug",
    "merchant_reference": "76859aae-f148-48c5-9901-2e474cf19b71",
    "internal_reference": "DUSUPAY405GZM1G5JXGA71IK",
    "transaction_status": "COMPLETED",
    "transaction_type": "collection",
    "message": "Transaction Completed Successfully"

    and that the callback URL is The string payload would therefore be 226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:

  3. Obtain the public key as described here and store it as a file.

  4. Use the public key to verify the signature as described in the example source codes below;

Signature Verification Code Samples

const crypto = require('crypto');
const fs = require('fs');
function isValidSignature() {
const strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:";
const signature = "value-of-dusupay-signature";
const publicKeyFile = "path-to-file/dusupay.public.key.pem";
const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');
const verify = crypto.createVerify("SHA512");
/*true or false*/
return verify.verify(publicKey, signature, 'base64');
public function isValidSignature() {
$file = "path-to-file/dusupay.public.key.pem";
$keyContent = file_get_contents($file);
$publicKey = openssl_get_publickey($keyContent);
$strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:";
$signature = base64_decode("value-of-dusupay-signature");
/*true or false*/
return openssl_verify($strPayload, $signature, $publicKey) == 1;