# 6.3. Notification signature verification method

The header containing the notification signature has the following format:

```
X-axepta-Signature: merchantid=[...];serviceid=[...];signature=[...];alg=[...]
```

To authenticate the source and verify the integrity of the notification message, perform the following steps:

1. From the headers of the incoming package delivered to the notification URL, read the `X-Axepta-Signature` value,
2. Then extract the values of `signature` and `alg`,
3. Depending on the hash algorithm specified in `alg`, calculate the appropriate hash:

    ```text
    string incoming_signature = x_axepta_signature[signature]
    string body = notification_body
    string own_signature = hash(body + private_key, alg)
    ```

4. Compare the calculated `own_signature` value with `incoming_signature` read from the header,
5. If `own_signature` and `incoming_signature` are identical, the notification message is correct and comes from a trusted source.

> Transaction status changes should be applied only if signature verification succeeds.