Callbacks

There are two ways to know the status of a transaction:

• CallbackUrl: Use your own callback url, this can be set in the parameters on request. We strongly recommend using this parameter instead of check status.
• Check status: User GET request on API.

Signature helps to check if a callback comes from Cleo. Let’s consider the following callback:

{
  "adress": {
  "commune": null,
  "country": null,
  "region": null,
  "street": null
  },
  "amount": 30000,
  "amountFee": 600,
  "fullName": "full name",
  "gender": null,
  "isForeigner": null,
  "maritalStatus": null,
  "rut": "111111111",
  "sessionId": "0db498cf-dc76-4db4-8c24-f6b62b130148",
  "status": "SUCCESS",
  "signature": "eba50f4288231220da1f269a11b24706efaaefa014de52978ac3d233a6547a68"
}

We follow these steps:

1. We remove the signature field from the data before validating (and no trailing comma, of course).
2. We sort the keys alphabetically. Also the address sub dictionary.
3. Next, we format the callback data this way: JSON.stringify(data, null, 0) so basically remove any whitespace it becomes:

   {
   "adress": {
     "commune": null,
     "country": null,
     "region": null,
     "street": null
     },
   "amount": 30000,
   "amountFee": 600,
   "fullName": "full name",
   "gender": null,
   "isForeigner": null,
   "maritalStatus": null,
   "rut": "111111111",
   "sessionId": "0db498cf-dc76-4db4-8c24-f6b62b130148",
   "status": "SUCCESS"}

4. Create an sha256 hmac hex using the merchant token/api key.
5. If the hmac you get is the same as the one that came in the callback, then the signature was correct and the callback definitely came from Cleo.