Developer
<?php
namespace Stripe;
abstract class WebhookSignature
{
const EXPECTED_SCHEME = 'v1';
/**
* Verifies the signature header sent by Stripe. Throws an
* Exception\SignatureVerificationException exception if the verification fails for
* any reason.
*
* @param string $payload the payload sent by Stripe
* @param string $header the contents of the signature header sent by
* Stripe
* @param string $secret secret used to generate the signature
* @param int $tolerance maximum difference allowed between the header's
* timestamp and the current time
*
* @throws Exception\SignatureVerificationException if the verification fails
*
* @return bool
*/
public static function verifyHeader($payload, $header, $secret, $tolerance = null)
{
// Extract timestamp and signatures from header
$timestamp = self::getTimestamp($header);
$signatures = self::getSignatures($header, self::EXPECTED_SCHEME);
if (-1 === $timestamp) {
throw Exception\SignatureVerificationException::factory(
'Unable to extract timestamp and signatures from header',
$payload,
$header
);
}
if (empty($signatures)) {
throw Exception\SignatureVerificationException::factory(
'No signatures found with expected scheme',
$payload,
$header
);
}
// Check if expected signature is found in list of signatures from
// header
$signedPayload = "{$timestamp}.{$payload}";
$expectedSignature = self::computeSignature($signedPayload, $secret);
$signatureFound = false;
foreach ($signatures as $signature) {
if (Util\Util::secureCompare($expectedSignature, $signature)) {
$signatureFound = true;
break;
}
}
if (!$signatureFound) {
throw Exception\SignatureVerificationException::factory(
'No signatures found matching the expected signature for payload',
$payload,
$header
);
}
// Check if timestamp is within tolerance
if (($tolerance > 0) && (\abs(\time() - $timestamp) > $tolerance)) {
throw Exception\SignatureVerificationException::factory(
'Timestamp outside the tolerance zone',
$payload,
$header
);
}
return true;
}
/**
* Extracts the timestamp in a signature header.
*
* @param string $header the signature header
*
* @return int the timestamp contained in the header, or -1 if no valid
* timestamp is found
*/
private static function getTimestamp($header)
{
$items = \explode(',', $header);
foreach ($items as $item) {
$itemParts = \explode('=', $item, 2);
if ('t' === $itemParts[0]) {
if (!\is_numeric($itemParts[1])) {
return -1;
}
return (int) ($itemParts[1]);
}
}
return -1;
}
/**
* Extracts the signatures matching a given scheme in a signature header.
*
* @param string $header the signature header
* @param string $scheme the signature scheme to look for
*
* @return array the list of signatures matching the provided scheme
*/
private static function getSignatures($header, $scheme)
{
$signatures = [];
$items = \explode(',', $header);
foreach ($items as $item) {
$itemParts = \explode('=', $item, 2);
if (\trim($itemParts[0]) === $scheme) {
$signatures[] = $itemParts[1];
}
}
return $signatures;
}
/**
* Computes the signature for a given payload and secret.
*
* The current scheme used by Stripe ("v1") is HMAC/SHA-256.
*
* @param string $payload the payload to sign
* @param string $secret the secret used to generate the signature
*
* @return string the signature as a string
*/
private static function computeSignature($payload, $secret)
{
return \hash_hmac('sha256', $payload, $secret);
}
}
Developer
Get access token to initiates payment transaction.
| Parameter | Type | Comments |
|---|---|---|
| client_id | string | Enter merchant API client/primary key |
| secret_id | string | Enter merchant API secret key |
| env | string | Enter merchant API environment |
| merchant_id | string | Enter merchant API merchant id |
Request Example (guzzle)
<?php
require_once('vendor/autoload.php');
$client = new \GuzzleHttp\Client();
$response = $client->request('POST', $base_url. 'v1/generate-token', [
'headers' => [
'accept' => 'application/json',
'content-type' => 'application/json',
],
'form_params' => [
'client_id' => '$client_id',
'secret_id' => 'secret_id',
'env' => 'env',
'merchant_id' => 'merchant_id',
],
]);
echo $response->getBody();
**Response: SUCCESS (200 OK)**
{
"message": {
"success": [
"Successfully token is generated"
]
},
"data": {
"token":"eyJpdiI6InpkczhjTjhQdVhUL2lKQ0pSUUx6aUE9PSIsInZhbHVlIjoiVGVBTVBDTXltbjNZcEIvdEJveGpTSno3TU5NRUtnVkhCZ1pHTFNCUnZGQ2UxMnYxN202cEE1YVRDTEFsc0ZERExoTjdtL0dTL2xoU3QzeUJJOExiMUx5T0w1L0llUXhTUkU1cWVLWEdEbEplb0dKNXcwbTNRM0VxdkUwYzZuNFdtNkhMQ0pRZysyNWkvdzBxSlBoSVBSOGFTekNnR2RXNHVtcG9lMGZOTmNCcm1hR3c5Sk9KTnB4Y3ltZDl6cm90MThrR21Ca3B1azc3bXRiQ0J6SW96UVo1elNkU1ZqeE05bTcwWGp1MEUxWlJFdnNWTmpSbnVpeW92b2U4dXZkUGgyb1VmK0luaGdyaFlsVTZlcVpVRnZlTG1DeFF6Ykk2T2h6Z3JzbnIyNHpNdHowSE5JdDR0Y0pZT20zUm1XYW8iLCJtYWMiOiJlY2M4NGE1OGUzYzkzYzk0YzljNmVmNjE0YWI0ZDIwOGI3NDQ2YWEyY2ZhNzc0NzE4ZmY1ZmYyMz
IyZmQzNDY1IiwidGFnIjoiIn0=",
},
"type": "success"
}
**Response: ERROR (400 FAILED)**
{
"message": {
"error": [
"Invalid credentials."
]
},
"data": null,
"type": "error"
}