Your system should verify every EHI request before processing the transaction.
| Step | Required action |
|---|---|
1 |
Read x-ehi-signature. |
2 |
Read x-ehi-signature-algorithm. |
3 |
Read x-ehi-signature-timestamp. |
4 |
Reject the request if the algorithm is not hmac-sha256. |
5 |
Reject the request if the timestamp is missing, invalid, or stale. |
6 |
Use a recommended replay window of 5 minutes and compare against the current UTC time in milliseconds. |
7 |
Read the raw request body exactly as received. |
8 |
Build the signing payload as <timestamp>.<rawBody>. |
9 |
Compute HMAC-SHA256 using the shared secret. |
10 |
Compare the computed lowercase hex digest with x-ehi-signature using constant-time comparison. |
11 |
Only after a valid signature, parse the JSON and process the EHI message. |