Home / Help Docs / Article

How to Verify Callback Signatures and Order Amount Consistency?


Callback signature validation and order amount consistency are two of the most important checks in a payment system. Signature validation proves that the callback came from a trusted source, while amount consistency proves that the callback refers to the correct transaction. The two work together to protect both financial integrity and operational accuracy.

When verifying a callback signature, the merchant service should read the signature field and timestamp, rebuild the expected signature using the agreed algorithm and shared secret, and compare it with the received signature. Only if both the signature and timestamp are valid should the callback be accepted for further processing.

Callback Signature Verification Steps

  1. Read the signature field and timestamp from the callback request headers.
  2. Combine the request body and timestamp in the agreed format.
  3. Recreate the signature using the stored secret.
  4. Compare the generated signature with the callback signature byte-for-byte.
  5. If they match and the timestamp is within the valid window, continue processing.

Order Amount Consistency Checks

Amount consistency should be verified at multiple points: the original order amount, the callback amount, and the currency. The order number should also be checked to ensure the callback matches the correct transaction. For payment systems, it is strongly recommended that callbacks never be accepted if the amount does not match the original order amount.

Recommended Handling Strategy

  • Validate the signature before processing the callback body.
  • Validate the order number and amount before any crediting step.
  • If the amount is inconsistent, record an alert and stop the process.
  • If the order is already completed, return success directly to avoid duplicate processing.
  • Store the validation result in logs for auditing and reconciliation.

A reliable callback handler does not simply accept the notification and credit funds. It verifies identity, validates amount, confirms the order, and records the decision. That is the difference between a fragile payment integration and a production-ready one.