6.3. Notification signature verification method

Add MCP server to your AI tool

Allow AI tools and LLMs to interact with the API documentation portal through MCP.

MCP server URL

https://bump.sh/pgw/doc/axepta-api/mcp

Standard setup for AI tools providing an mcp.json file

mcp.json 
"axepta API MCP server": {
  "url": "https://bump.sh/pgw/doc/axepta-api/mcp"
}
Close

The header containing the notification signature has the following format:

X-axepta-Signature: merchantid=[...];serviceid=[...];signature=[...];alg=[...]

To authenticate the source and verify the integrity of the notification message, perform the following steps:

  1. From the headers of the incoming package delivered to the notification URL, read the X-Axepta-Signature value,
  2. Then extract the values of signature and alg,

  3. Depending on the hash algorithm specified in alg, calculate the appropriate hash:

    string incoming_signature = x_axepta_signature[signature]
string body = notification_body
string own_signature = hash(body + private_key, alg)

  4. Compare the calculated own_signature value with incoming_signature read from the header,

  5. If own_signature and incoming_signature are identical, the notification message is correct and comes from a trusted source.

Transaction status changes should be applied only if signature verification succeeds.