5.3 Signature Format

Payblr signs the following value:

Then Payblr computes:

• The timestamp is in milliseconds, not seconds.
• The separator is a literal dot: .
• The body must be the exact raw request body sent by Payblr.
• Do not parse and then reserialize the JSON before verification.
• Do not add, remove, trim, or reformat whitespace before verification.
• Do not base64-decode the secret unless Payblr and your system explicitly agree that the configured secret value is base64-encoded material.
• The digest is lowercase hex.