Verify data with signature

A signature is used to verify data integrity between your system and SimplifyTrip. It is generated from checksumKey and request/response data fields defined by each API.

Whenever you receive data from SimplifyTrip, verify the signature to ensure payload authenticity.

Try with Signature Generator

How to generate a signature

SimplifyTrip uses HMAC with SHA-256.
Signature input data format: key1=value1&key2=value2…
Fields must be sorted alphabetically by key.
Formula: hash_hmac("sha256", data, checksum_key)

💡

Note Checksum Key is generated when API key is created. You can rotate Checksum Key anytime if leakage is suspected.

Sample code to validate data

Nodejs


_87import { createHmac } from "crypto";
_87
_87const checksumKey = "ck_test_xxxxxxxxxxxxxxxxxxxxxxxx";
_87const signature = "412e915d2871504ed31be63c8f62a149a4410d34c4c42affc9006ef9917eaa03";
_87const webhookData = {
_87	"id": "6740ce7f9d042322159bc6401",
_87	"type": "PURCHASE_ORDER_SUCCESS",
_87	"sentDate": "2024-11-24T17:42:31.424Z",
_87	"createdAt": "2024-11-24T17:42:31.424Z",
_87	"mode": "TEST_MODE",
_87	"data": {
_87		"orderId": "3248417841",
_87		"trackId": "06c08ae1-bfac-4f77-1213-a92f53bb15dd",
_87		"status": "SUCCESS",
_87		"items": [
_87			{
_87			"subOrderId": "674362a97cbd7ef05bc12786",
_87			"subTrackId": "62137526-5b53-475f-4333-4c1e83e13a28",
_87			"sku": "EAS5XY01GB04DPY",
_87			"quantity": 2,
_87			"type": "eSIM",
_87			"status": "SUCCESS",
_87			"eSims": [
_87					{
_87						"qrCodeContent": "LPA:1$SECSMSMINIAPP.EASTCOMPEACE.COM$502F97EF09144E0C9D62FD781E259916",
_87						"qrCodeImg": "https://files.simplifytrip.com/a11dd3c438f38f5383fa17c8ea2de3ef.png",
_87						"iccid": "89812003916820391469",
_87						"planAPN": "plus.4g",
_87						"smdpAddress": "SECSMSMINIAPP.EASTCOMPEACE.COM",
_87						"pin": "1234",
_87						"puk": "15095300",
_87						"activationCode": "502F97EF09144E0C9D62FD781E256862"
_87					},
_87					{
_87						"qrCodeContent": "LPA:1$SECSMSMINIAPP.EASTCOMPEACE.COM$502F97EF09144E0C9D62FD781E259916",
_87						"qrCodeImg": "https://files.simplifytrip.com/a11dd3c438f38f5383fa17c8ea2de3ef.png",
_87						"iccid": "89812003916820396627",
_87						"planAPN": "plus.4g",
_87						"smdpAddress": "SECSMSMINIAPP.EASTCOMPEACE.COM",
_87						"pin": "1234",
_87						"puk": "15095300",
_87						"activationCode": "502F97EF09144E0C9D62FD781E253495"
_87					}
_87				]
_87			}
_87		]
_87	},
_87};
_87
_87function deepFlattenToObject(obj, prefix = '') {
_87	return Object.keys(obj).reduce((acc, k) => {
_87		const pre = prefix.length ? prefix + '_' : '';
_87		if (typeof obj[k] === 'object' && obj[k] !== null) {
_87			Object.assign(acc, deepFlattenToObject(obj[k], pre + k));
_87		} else {
_87			acc[pre + k] = obj[k];
_87		}
_87		return acc;
_87	}, {});
_87}
_87
_87function convertObjToQueryStr(object) {
_87	const flatObj = deepFlattenToObject(object);
_87
_87	return Object.keys(flatObj)
_87		.sort()
_87		.filter((key) => flatObj[key] !== undefined)
_87		.map((key) => {
_87			let value = flatObj[key];
_87			if ([null, undefined, "undefined", "null"].includes(value)) {
_87				value = "";
_87			}
_87			return `${key}=${value}`;
_87		})
_87		.join("&");
_87}
_87
_87function isValidData(data, currentSignature, checksumKey) {
_87	const dataQueryStr = convertObjToQueryStr(data);
_87	const dataToSignature = createHmac("sha256", checksumKey)
_87	.update(dataQueryStr)
_87	.digest("hex");
_87
_87	return dataToSignature == currentSignature;
_87}
_87
_87return isValidData(webhookData, signature, checksumKey);

Example flow

Input data

Use webhook payload and current signature.

Flatten object

Flatten nested object/array data into a single-level object with underscore key path.

Sort and stringify

Sort keys alphabetically and join as key=value with &.

Generate signature

Hash using HMAC_SHA256(dataString, checksumKey) and compare with the received signature.

Try with Signature Generator

Webhooks API list