Agency authenticates Afterpay by verifying that the certificate presented by Afterpay is signed by a commonly trusted CA.
Afterpay verifies that it is Agency making the request by the following scheme:
- Agency will generate a SHA-256 HMAC from the request by:
- Concatenating the URI of the request, the value of the X-Afterpay-Request-Date header, and the request body (for POST and PUT requests), delimited by the newline character (\n) using the shared secret as key
- The base64 representation of the SHA-256 HMAC will be provided in the X-Afterpay-Request-Signature HTTP header.
- The X-Afterpay-Request-Date header should contain a timestamp (number of seconds since unique epoch) that is not more than 60 seconds from the current time (as determined by public NTP servers).