> ## Documentation Index
> Fetch the complete documentation index at: https://telr-docs.cashfree.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Webhook Signature Verification

Verifying the signature is mandatory before processing any response. It helps authenticate that the webhook is from Telr.

Follow the steps to verify the signature:

1. Sort the array based on keys.
2. Concatenate all the values in this array and the resultant is the post data (**postData**).
3. **postData** needs to be encrypted using SHA-256 and then base64 encoded.
4. Verify if both the signature calculated and the signature received match.
5. Proceed further only if the signatures match. If not, discard the request.
6. Ensure **clientSecret** you use is from the oldest active key pair.

For example, from the webhook received, extract the data and pass it to generate HMAC function:

```
{bank_account=026291800001191, ifsc=YESB0000262, upi=, name_at_bank=John Doe, 
verification_id=fadsfdsf, ref_id=332, utr=332, status=SUCCESS,
added_on=2023-09-06T07:48:53+05:30, processed_on=2023-09-06 07:49:03, 
penny_collected_on=2023-09-06 07:48:53}
```

```Text Java code - for reference theme={null}
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.util.Map;
import java.util.TreeMap;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.commons.codec.binary.Base64;

public class ComputedSignature {
public static String generateHMAC(String clientSecret, String data) {
        String hash = null;
        ObjectMapper objectMapper = new ObjectMapper();
        try {
            Map<String, Object> jsonMap = objectMapper.readValue(data, new TypeReference<Map<String, Object>>() {
            });
            Map<String, Object> sortedMap = new TreeMap<>(jsonMap);

            // sort the map based on keys
            String postDataString = "";

            for (Map.Entry<String, Object> entry : sortedMap.entrySet()) {
                postDataString = postDataString + entry.getValue();
            }

            // encode the post data on sha256
            Mac sha256HMAC = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(clientSecret.getBytes(), "HmacSHA256");
            sha256HMAC.init(secretKey);

            hash = Base64.encodeBase64String(sha256HMAC.doFinal(postDataString.getBytes()));
        } catch (Exception e) {
            e.printStackTrace();

        }
        return hash;
    }
}

```

## IPs to whitelist

When you decide to consume the webhooks, first, you need to verify if your systems need an IP whitelisting to be done at your end or not. Accordingly you can whitelist the below IPs of Telr:

| Sandbox       |
| :------------ |
| 52.66.25.127  |
| 15.206.45.168 |

| Prod          |
| :------------ |
| 52.66.101.190 |
| 3.109.102.144 |
| 3.111.60.173  |
| 18.60.134.245 |
| 18.60.183.142 |

| Port          |
| :------------ |
| 443 (secured) |
