All communications between the publisher and the Appcharge system are authenticated and secure using HTTPS and authentication methods.

Appcharge uses signature hashing for secure communication between the two platforms. The main key can be found in the Appcharge dashboard, Admin panel, and Integration tab.

In every webhook coming from Appcharge 2 HTTP headers will be added:

  1. “x-publisher-token” - the publisher token found in the Dashboard admin panel, integration tab, can be used for multiple Appcharge accounts.
  2. “signature” - the HTTP payload signed (hashed) using the below description:

  • The schema consists of 2 parts:

    • Time in UNIX timestamp format
    • Time is in UTC Now
    • Verify that the time sent in the payload is at the last 1-5 minutes
    • The HTTP payload sign using sha256 and the main key. Formatting the output in hex encoding
static signPayload(currentTimestamp: Date, data: string, secretKey: string): string {  
  const hmac = crypto.createHmac("sha256", secretKey); 
  const tAndData = currentTimestamp + "." + data;
  hmac.update(tAndData);  
  return hmac.digest("hex"); // hex encoding
}
const currentTimestamp = new Date().getTime(); // UNIX timestamp
const sign = signPayload(currentTimestamp, httpPayload, mainKey); // HTTP payload signing
const signature: `t=${currentTimestamp},v1=${sign}`,

Validating the signature

  • Take the currentTimestamp from the provided header
  • Run the same algorithm as above to create the signature using the currentTimestamp from the header
  • Validate that the currentTimestamp is not older then ~5 minutes to prevent replay attack