| Wrong raw body |
The endpoint parses JSON and then signs a reserialized version of the payload. |
Verify the signature against the exact raw body bytes or string first. |
| Wrong timestamp unit |
Your system expects seconds instead of milliseconds. |
x-ehi-signature-timestamp is Unix time in milliseconds. |
| Wrong digest encoding |
Your system computes a base64 digest. |
Payblr sends a lowercase hex digest. |
| Wrong secret material |
One side trims, decodes, or rotates the secret differently. |
Confirm the exact secret value and rotation timing through secure channels. |
| Missing constant-time comparison |
Normal string comparison is used for signature validation. |
Use the platform’s constant-time comparison function. |
| Replay window too strict |
Clock drift exists between systems. |
Use UTC, keep NTP enabled, and allow a reasonable replay window such as 5 minutes. |