Webhook Validation

To ensure security, every webhook notification must be validated using a hash.

Webhook validation and is the only trusted way to confirm that a payment notification:

Webhook Validation Concept

Webhook validation is based on a shared-secret hash mechanism.

EdfaPay generates a hash using transaction data and the merchant’s secret PASSWORD
The same hash is recalculated by the merchant upon receiving the webhook
If both hashes match, the webhook is considered authentic.

Regardless of the integration type, the webhook validation process is always the same:

Receive the webhook request from EdfaPay
Read the webhook payload parameters
Recalculate the webhook hash using the correct formula
Compare your calculated hash with the hash sent by EdfaPay
Validation result:
- ✅ Hashes match → Webhook is valid
- ❌ Hashes do not match → Webhook must be rejected or ignored

The webhook hash formula depends on the integration flow used.

Used for Checkout integrations.

MD5(strtoupper(strrev(email) + PASSWORD + trans_id + strrev(substr(card_number,0,6) + substr(card_number,-4))))

Parameters:

The hash sent in the initiate request should not match the hash received in the webhook notification.

Used for Server-to-Server (S2S) Embedded integrations.
This hash follows the same logic used in the SALE request.

MD5(strtoupper(strrev(email).PASSWORD.strrev(substr(card_number,0,6).substr(card_number,-4))))

Parameters:

trans_id is not included in S2S webhook hash calculation.