Webhook Security

Overview:

Webhook notifications require a digital signature. MoneyGram signs the request using public / private keys.

Signatures are generated using an RSA key and SHA256 digest of the message body. They are transmitted using the signature request header and are Base64 encoded.  

NOTE: Signature: t=timestamp, s=base64 signature

The timestamp is the current Unix timestamp (number of seconds since epoch) at the time the notification is sent. This is used to assure freshness of the request and to prevent this request being replayed in the future.

Base64 signature is the base64 encoding of the request signature. We explain below how to verify this signature. The signature is computed using the MoneyGram private key.

Note that the timestamp and the destination (your) hostname will be part of the signature to prevent replay and relay attacks.


👍

Good to Know:

You should verify each request you handle is sent by MoneyGram and has not been tampered with. You should not process any request with signature that fails verification.




Developer Code Example:

MoneyGram has included example code to help jump start your development. The code is also annotated to highlight what’s possible with our APIs and explain use cases. Open the example below and get building!





Security Model Diagram





How to verify your Digital signature


Step 1: Grant network access and "whitelist" specific MoneyGram IP addresses

Production & Sandbox IP Addresses
  • 3.137.64.179
  • 3.137.64.157
  • 3.13.206.10

Step 2: Check the request has Header Signature:


Step 3: Parse the header and extract:

  • Key t: timestamp
  • Key s: base64 signature

Step 4: Verify the request freshness:

  • current timestamp - timestamp <65 Minutes Max

Step 5: Extract the body of the request


Step 6: Base64 decode the base64 signature


Step 7: Prepare the payload to verify the signature:

  • The timestamp (as a string)
  • The character
  • The webhook host (your host) where to send the notification request
  • The body
  • Verify the signature using the correct MoneyGram Public Key



Public Keys


EnvironmentKey
Sandbox EnvironmentMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Dm7LFleQyaXakYdNOvCv2Irm2ufOcncek0Q4J+MtzmEYvdlfhx5Sm206s2Z5l0/+6YyA3tFljRNCFar3lm96o/S6IFNo0xOsCy+Il7EzQNl4S7kojqnOGfgMgUBC/qxf0S7zkh7y0St8G3OpcjYg7Ff7PAFXmcgjk22F1lUeOqy+zyP2dRJ+NEKZrcHJhbFheB0dPH++e+1foHSfhz+I+Pt9DDaESJasJptZGo0Ww3U+KkPmrDriOLbvpdE4r7MKzeQfGa7SMx4VzhtWFa98/6V6MO29ZjkegejHBZsCekA/1NU0gAQhQnxuYsgdCn/9LogrWqUS8Tl44K2yPYCsQIDAQAB
Production EnvironmentMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPGnqyaDXdZgsYqLuj+hP44TM4hTgnQi+Giq25FIXITANi5kHqS7/PtxGl0QsJex84NabOVc20PI56Nwk2X2+tid1dAXnIDH4S0dQeNRjTt3QRd3eNn0ikCKFZ+yJWyZ2IR1bkWR+FHn1WBjeC5DwrF4Jpmpv6D+YJGvJRFsDbjS3VFypN4RxF146kHDm3T/5cTFDhXnubgjWhi/T7dYpN881bY4Lh8y3maNpruH99bzTZEtkpyBpm4dnBUnmWdSDNgchhT/8t6nLzVczp1bDSl8cV5WUsgftaDW1aVZrde2fVuEnNwEvD5eFv/C9/8KwBRqr898aw7ZzMD9Y9vBkQIDAQAB



IP Address

MoneyGram uses a POST HTTP method with JSON payloads request to your webhook URL from one of the following IP addresses:

ServerIP Addresses
Production Environment3.137.64.179
3.137.64.157
3.13.206.10
Sandbox Environment3.16.53.226
3.143.88.249