This webhook is called by our payment gateway to inform you of refund status changes. The name of this endpoint should correspond to the name for the refund webhook, that you specified in your Merchant Portal integration
Note, We will pass through a super-signature header in the callback request to enable you to verify that the request originated from Super, as opposed to a rogue third party.
The signature is generated using a combination of the event payload, a timestamp and your unique webhook secret found in your Merchant Portal integration. The signature, contained in the super-signature header consists of two parts. A timestamp prefixed by t= and the signature prefixed by v1= e.g.
super-signature: t=1669219987926,v1=bc2719322a26335c486df9dffeb0c555c758b2a7470de6f62421cfb8437e8b5b
Verifying a Signature
- Separate the timestamp and signature components by splitting the header on the , character.
- Separate the timestamp and header components into their key value pairs by splitting on the = character.
- Create a message string by concatenating the timestamp, retrieved in step 2, and the request body.
- Generate an HMAC signature using SHA256 as the hash function, your webhook secret as the key and the message string constructed in step 3 as the message.