Signature Verification

In addition to the header,webhook-hash when calling back, there's another header with the name,dusupay-signature and this is to help merchants trust that the callbacks originate from the DusuPay servers. Signature verification can be done with the following procedure;

  1. Retrieve the value of the dusupay-signature header.

  2. Form the string payload to be used in signature verification. This is obtained by concatenating values of the callback data in the format that follows id:internal_reference:transaction_status:callback_url where callback_url is the full URL as added to your merchant account settings. The other values are obtained from the callback data. e.g. assume the following is the callback data

        "id": 226,
        "request_amount": 10,
        "request_currency": "USD",
        "account_amount": 737.9934,
        "account_currency": "UGX",
        "transaction_fee": 21.4018,
        "total_credit": 716.5916,
        "customer_charged": false,
        "provider_id": "mtn_ug",
        "merchant_reference": "76859aae-f148-48c5-9901-2e474cf19b71",
        "internal_reference": "DUSUPAY405GZM1G5JXGA71IK",
        "transaction_status": "COMPLETED",
        "transaction_type": "collection",
        "message": "Transaction Completed Successfully"

    and that the callback URL is The string payload would therefore be 226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:

  3. Obtain the public key as described here and store it as a file.

  4. Use the public key to verify the signature as described in the example source codes below;

Signature Verification Code Samples

const crypto = require('crypto');
const fs = require('fs');

function isValidSignature() {
    const strPayload = "226:DUSUPAY405GZM1G5JXGA71IK:COMPLETED:";
    const signature = "value-of-dusupay-signature";
    const publicKeyFile = "path-to-file/dusupay.public.key.pem";
    const publicKey = fs.readFileSync(publicKeyFile).toString().replace(/\\n/g, '\n');

    const verify = crypto.createVerify("SHA512");

    /*true or false*/
    return verify.verify(publicKey, signature, 'base64');

Last updated