Signature Verification

Merchants can follow the steps below to verify the signature on API responses or callback notifications.

If the merchant's request signature is verified successfully, PayLoco will include a response signature in the HTTP response header. We recommend that merchants verify the response signature.

Similarly, PayLoco includes a callback signature in the HTTP header of every callback notification. Merchants must verify the callback signature to confirm that the callback originated from PayLoco.

Retrieve the Response Signature

PayLoco’s response signature is transmitted via the HTTP signature header. (Note: the example below may show line breaks due to formatting — the actual value is a single unbroken string.) Decode the value of the signature field using Base64 to obtain the response signature bytes.

Verify the Signature

Most programming languages provide signature verification functions that accept both the message string and the signature for validation. We strongly recommend using such functions to verify the signature string and the signature against PayLoco’s platform public key using the SHA256WithRSA algorithm.

Test Public Key

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgAuG27kWX9WFmVnlZvDoZhxUhupkA3mbPeIlqTjY6KmrTl6jd6GA708OHN0NRZcHEHApT7fGOUIKwBhMmWwZinDq7D6bQ0F1Br5o/XvOt3uyJfwi5diyS0Eh24oQPexxn3bGPS8csGoA+gPPnnscux+Lh2ZJALJc3J1kYHy/90b81vSX0wAtX/GVKHtWeLqnG3du93PcMBpgd4P++bG/CsV8IozyiZZ7QOlFQcHBeZZkGGvPllvz/x2BjlJQQcJFpYc16nWm30qALzj4r4qPyzSYAwQZHtWs47LDgfHRs9dHnZoF+qQsDjrHvvpoeaAUtotbqTaK/gWlEuJj8QhGwwIDAQAB

​Signature Verification

​Retrieve the Response Signature

​Verify the Signature

​Test Public Key

Signature Verification

Retrieve the Response Signature

Verify the Signature

Test Public Key