Webhook Security
Overview:
Webhook notifications require a digital signature. MoneyGram signs the request using public / private keys.
Signatures are generated using an RSA key and SHA256 digest of the message body. They are transmitted using the signature request header and are Base64 encoded.
NOTE: Signature: t=timestamp, s=base64 signature
The timestamp is the current Unix timestamp (number of seconds since epoch) at the time the notification is sent. This is used to assure freshness of the request and to prevent this request being replayed in the future.
Base64 signature is the base64 encoding of the request signature. We explain below how to verify this signature. The signature is computed using the MoneyGram private key.
Note that the timestamp and the destination (your) hostname will be part of the signature to prevent replay and relay attacks.
Good to Know:
You should verify each request you handle is sent by MoneyGram and has not been tampered with. You should not process any request with signature that fails verification.
Developer Code Example:
MoneyGram has included example code to help jump start your development. The code is also annotated to highlight what’s possible with our APIs and explain use cases. Open the example below and get building!
Security Model Diagram
How to verify your Digital signature
Step 1: Grant network access and "whitelist" the MoneyGram IP Addresses below.
Production & Sandbox IP Addresses
| Server | IP Address |
|---|---|
| Production Environment |
|
| Sandbox Environment |
|
Step 2: Check the request has Header Signature:
Step 3: Parse the header and extract:
- Key t: timestamp
- Key s: base64 signature
Step 4: Verify the request freshness:
- current timestamp - timestamp <65 Minutes Max
Step 5: Extract the body of the request
Step 6: Base64 decode the base64 signature
Step 7: Prepare the payload to verify the signature:
- The timestamp (as a string)
- The character
- The webhook host (your host) where to send the notification request
- The body
- Verify the signature using the correct MoneyGram Public Key
Public Keys
| Environment | Key |
|---|---|
| Sandbox Environment | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Dm7LFleQyaXakYdNOvCv2Irm2ufOcncek0Q4J+MtzmEYvdlfhx5Sm206s2Z5l0/+6YyA3tFljRNCFar3lm96o/S6IFNo0xOsCy+Il7EzQNl4S7kojqnOGfgMgUBC/qxf0S7zkh7y0St8G3OpcjYg7Ff7PAFXmcgjk22F1lUeOqy+zyP2dRJ+NEKZrcHJhbFheB0dPH++e+1foHSfhz+I+Pt9DDaESJasJptZGo0Ww3U+KkPmrDriOLbvpdE4r7MKzeQfGa7SMx4VzhtWFa98/6V6MO29ZjkegejHBZsCekA/1NU0gAQhQnxuYsgdCn/9LogrWqUS8Tl44K2yPYCsQIDAQAB |
| Production Environment | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPGnqyaDXdZgsYqLuj+hP44TM4hTgnQi+Giq25FIXITANi5kHqS7/PtxGl0QsJex84NabOVc20PI56Nwk2X2+tid1dAXnIDH4S0dQeNRjTt3QRd3eNn0ikCKFZ+yJWyZ2IR1bkWR+FHn1WBjeC5DwrF4Jpmpv6D+YJGvJRFsDbjS3VFypN4RxF146kHDm3T/5cTFDhXnubgjWhi/T7dYpN881bY4Lh8y3maNpruH99bzTZEtkpyBpm4dnBUnmWdSDNgchhT/8t6nLzVczp1bDSl8cV5WUsgftaDW1aVZrde2fVuEnNwEvD5eFv/C9/8KwBRqr898aw7ZzMD9Y9vBkQIDAQAB |
IP Address
MoneyGram uses a POST HTTP method with JSON payloads request to your webhook URL from one of the following IP addresses:
| Server | IP Addresses |
|---|---|
| Production Environment | 3.137.64.179 3.137.64.157 3.13.206.10 |
| Sandbox Environment | 3.16.53.226 3.143.88.249 |
Updated 26 days ago
