plenigo signature

  • Published on Jul 7, 2025
Prev Next

Preliminary Remarks

Each callback from the Frisbii Media system is provided with a signature, which can be found in the header, to ensure that the call originates from a trustworthy source and has not been manipulated.    

Check plenigo signature

Each callback is signed via a signature header.  The header is called plenigo-signature and looks like this:

t=1729583536,s=fdcd0a0ccd0b4db629d35a33c3aada5cf669a28f91adb38abcc9ffcdb1663d38

The header contains two elements. A timestamp indicating the time at which the callback was generated (t) and a hash-based message authentication code(HMAC) with SHA-256 (s).

Summary:

plenigo-signature: t=<zeitstempel>,s=<signatur>

  • t = Unix timestamp (seconds since epoch)

  • s = HMAC-SHA256 signature (hexadecimal coded)

How to create the signature

Frisbii Media calculates the signature in the following steps:

  1. Get current timestamp as a character string

  2. Connect Timestamp and raw data of the body with a dot (.)

  3. Generate HMAC with SHA256, using the callback secret from Frisbii Media

  4. Set header:

    plenigo-signature: t=timestamp,s=signature

To help with versioning-specific logic, each callback request also contains the HTTP header:

X-Plenigo Api version

Verify header

Step 1: Extract timestamps and signatures from the header

The content of the header can be separated with the character "," (comma) to obtain a list of elements. Each element can be divided into a data pair consisting of a prefix and a value using the "=" character (equals sign) as a separator.  

Values of the prefixes:  

  • "t" = timestamp

  • "s" = one signature or several signatures

Any other elements can be ignored.

Step 2: Prepare the "signed_payload" string

The string "signed_payload" is created by a concatenation:  

  • the timestamp as a string

  • the character "." (dot)

  • the actual JSON payload (i.e. the request content) as a string

Step 3: Determine expected signature

An HMAC authentication code with a SHA256 hash function is required. The signing secret of the endpoint is used as the key and the character string "signed_payload" is used as the message.

Step 4: Compare signatures

The signature (or signatures) in the header should be compared with the expected signature.  For the comparison, the difference between the current timestamp and the received timestamp should be calculated in order to decide whether the difference is within an acceptable tolerance.  

Note

If the timestamp is far in the past, we recommend to no longer use this callback for data processing, as this can lead to data inconsistency, especially with customer data.

Here is an example of the processing of the received callback:

Related articles
  • Create callback
    Merchant Backend - Client > Settings > Development > Callbacks