# MD for: https://www.mercadopago.com.ar/developers/es/docs/qr-code/optional-notifications.md

\# Configure optional notifications In addition to the primary orders topic, Mercado Pago offers optional topics that notify your application about integration management events: account linking via OAuth, buyer-initiated claims, and chargebacks. These notifications complement the main flow and keep your system synchronized with events beyond payment processing. None of these topics replaces the orders topic or is mandatory. Activate only the ones relevant to your integration. ## Available topics | Topic | Panel name | Description | |---|---|---| | \`mp-connect\` | Application linking | Notifies when an account is linked or unlinked via \[OAuth\](https://www.mercadopago.com.ar/developers/en/docs/security/oauth). Applies to all integrations that use OAuth. | | \`topic\_claims\_integration\_wh\` | Claims | Notifies when a buyer files a claim or when a status change occurs. | | \`topic\_chargebacks\_wh\` | Chargebacks | Notifies when a buyer initiates a chargeback or a status change occurs. | ## Configure Webhooks Follow the steps below to activate the optional topics in your integration. > RED\_MESSAGE > > If you are developing using test credentials, go to \*\*Your integrations > Application details > Test credentials > Test credentials data\*\*, sign in to \[Mercado Pago Developers\](https://www.mercadopago.com.ar/developers/en/docs) with the username and password of that test account, and configure the Webhooks in production mode for that account. This way, you will be able to test the notifications correctly. 1\. Go to \[Your integrations\](https://www.mercadopago.com/developers/panel/app) and select the application for which you want to activate notifications. !\[configure notifications\](https://www.mercadopago.com.ar/images/api-orders/not1-app-es-v1.png) 2\. In the left menu, select \*\*Webhooks > Configure notifications\*\*. !\[configure notifications\](https://www.mercadopago.com.ar/images/api-orders/not2-configure-es-v1.png) 3\. Select the \*\*Production mode\*\* tab and provide an \`HTTPS URL\` to receive notifications. 4\. In the optional topics section, select the events you want to activate: \*\*Application linking\*\*, \*\*Claims\*\*, and/or \*\*Chargebacks\*\*. 5\. Finally, click \*\*Save configuration\*\*. This will generate a :toolTipComponent\[secret key\]{content="Key used to validate the authenticity of each received notification." link="/developers/en/docs/your-integrations/notifications/webhooks"} for your application. Note that this key has no expiration date and periodic renewal is not mandatory, though recommended. To do so, click the \*\*Reset\*\* button. ## Simulate receiving the notification To ensure notifications are configured correctly, simulate receiving them by following the steps below. 1\. After configuring your Webhooks, click \*\*Simulate notification\*\*. 2\. On the simulation screen, select the URL to test. 3\. Choose the event type you want to test and enter the \*\*resource ID\*\* to be sent in the notification body (\`Data ID\`). !\[cofigure notifications\](https://www.mercadopago.com.ar/images/api-orders/not5-order-es-v2.png) 4\. Finally, click \*\*Send test\*\* to verify the request, the server response, and the event description. ## Validate the notification origin Validating the origin of a notification is essential to ensure the security and authenticity of the received information. This process helps prevent fraud and ensures that only legitimate notifications are processed. Mercado Pago will send your server a notification similar to the example below. Below are examples of notifications for each topic. ::::TabsComponent :::TabComponent{title="Application linking"} \`\`\` POST /?data.id=123456789&type=mp-connect HTTP/1.1 Host: test-optional-nots.requestcatcher.com Accept: \*/\* Accept-Encoding: \* Connection: keep-alive Content-Length: 187 Content-Type: application/json User-Agent: restclient-node/5.1.10 X-Request-Id: 4ed4fa2b-0b31-42ec-a62f-ad793c486c59 X-Rest-Pool-Name: /services/webhooks.js X-Retry: 0 X-Signature: ts=1781009491,v1=654866c48793d9f716f255f8a8e6cb162f643d93b29391daa6ac7ce78cf0ce81 X-Socket-Timeout: 22000 {"action":"application.authorized","api\_version":"v1","data":{"id":"123456789"},"date\_created":"2026-06-12T13:14:01.351Z","id":100000000000,"live\_mode":true,"type":"mp-connect","user\_id":123456789} \`\`\` | Field | Type | Description | |---|---|---| | \`action\` | string | Notified event. Possible values: \`application.authorized\` (linking) and \`application.deauthorized\` (unlinking). | | \`api\_version\` | string | API version. Always \`v1\`. | | \`data.id\` | string | Identifier of the resource associated with the event. | | \`date\_created\` | string | Notification creation date (ISO 8601). | | \`id\` | long | Unique notification identifier. Use it for idempotency control. | | \`live\_mode\` | boolean | \`true\` in production, \`false\` in test mode. | | \`type\` | string | Always \`mp-connect\`. | | \`user\_id\` | long | Identifier of the seller for whom the notification is sent. | ::: :::TabComponent{title="Claims"} \`\`\` POST /?data.id=1234567890&type=claim HTTP/1.1 Host: test-optional-nots.requestcatcher.com Accept: \*/\* Accept-Encoding: \* Connection: keep-alive Content-Length: 207 Content-Type: application/json User-Agent: restclient-node/5.1.10 X-Request-Id: 1d07590a-fd51-4e67-8b13-7d45600670e5 X-Rest-Pool-Name: /services/webhooks.js X-Retry: 0 X-Signature: ts=1781009658,v1=e446ded9a9e0dd94acba3fd0fa9e35e497abcf2ef11a6d0f5291f7c7eab00fb7 X-Socket-Timeout: 22000 {"action":"updated","api\_version":"v1","data":{"id":1234567890,"resource":"/v1/claims/1234567890"},"date\_created":"2026-06-12T06:14:40-04:00","id":"00000000-0000-0000-0000-000000000001","live\_mode":true,"type":"claim","user\_id":123456789} \`\`\` | Field | Type | Description | |---|---|---| | \`action\` | string | Notified event. Indicates the action that occurred on the claim. | | \`api\_version\` | string | API version. Always \`v1\`. | | \`data.id\` | long | Unique identifier of the claim. | | \`data.resource\` | string | Path of the claim resource in the API. | | \`date\_created\` | string | Notification creation date (ISO 8601). | | \`id\` | string | Unique notification identifier (UUID). Use it for idempotency control. | | \`live\_mode\` | boolean | \`true\` in production, \`false\` in test mode. | | \`type\` | string | Always \`claim\`. | | \`user\_id\` | long | Identifier of the seller for whom the notification is sent. | ::: :::TabComponent{title="Chargebacks"} \`\`\` POST /?data.id=114544942708&type=topic\_chargebacks\_wh HTTP/1.1 Host: test-optional-nots.requestcatcher.com Accept: \*/\* Accept-Encoding: \* Connection: keep-alive Content-Type: application/json User-Agent: restclient-node/5.1.10 X-Request-Id: 948ac0a7-bf77-4877-8fe8-8ab69a356fa4 X-Rest-Pool-Name: /services/webhooks.js X-Retry: 0 X-Signature: ts=1781009697,v1=108c6756aa1b96a5303b41769bb89261ebeb2922333b483886502f5b7ae3d79d X-Socket-Timeout: 22000 {"actions":\["changed\_case\_status"\],"api\_version":"v1","application\_id":1234567890987654,"data":{"checkout":"PRO","date\_updated":"0001-01-01T00:00:00Z","id":217000061307271000,"payment\_id":81034165129,"product\_id":"BC32A57TRPP001U8NHHG","site\_id":"MLA","transaction\_intent\_id":""},"date\_created":"2024-07-02T22:03:24-04:00","id":114544942708,"live\_mode":true,"type":"topic\_chargebacks\_wh","user\_id":123456789,"version":1720427447} \`\`\` | Field | Type | Description | |---|---|---| | \`actions\` | array | List of actions that occurred. For example, \`changed\_case\_status\`. | | \`api\_version\` | string | API version. Always \`v1\`. | | \`data.id\` | long | Chargeback identifier. | | \`data.payment\_id\` | long | Associated payment identifier. | | \`data.site\_id\` | string | Site identifier (country). | | \`date\_created\` | string | Notification creation date (ISO 8601). | | \`id\` | long | Notification identifier. | | \`live\_mode\` | boolean | \`true\` in production, \`false\` in test mode. | | \`type\` | string | Always \`topic\_chargebacks\_wh\`. | | \`user\_id\` | long | Seller identifier. | | \`version\` | long | Event version timestamp. | ::: :::: From the received notification, you can validate the authenticity of its origin through the secret key. This key will be sent in the \`x-signature\` \_header\_, with the following format: \`\`\` ts=1742505638683,v1=ced36ab6d33566bb1e16c125819b8d840d6b8ef136b0b9127c76064466f5229b \`\`\` To confirm the validation, extract the key from the \_header\_ and compare it with the key provided for your application in \[Your integrations\](https://www.mercadopago.com.ar/developers/panel/app). To confirm the validation, it is necessary to extract the key from the \_header\_ and compare it with the key provided for your application in \[Your integrations\](https://www.mercadopago.com.ar/developers/panel/app). Follow one of the approaches below to validate the authenticity of the notification. ::::TabsComponent :::TabComponent{title="With SDKs"} The official SDK implements HMAC-based Webhook Signature Verification to authenticate the origin of each received notification. To get your secret key (\`secret\`), go to \[Your integrations\](https://www.mercadopago.com.ar/developers/panel/app), select the application, click \*\*Webhooks > Configure notification\*\* and reveal the generated key. 

* [csharp ](#editor%5F5)
* [go ](#editor%5F4)
* [java ](#editor%5F6)
* [javascript ](#editor%5F2)
* [php ](#editor%5F1)
* [python ](#editor%5F3)
* [ruby ](#editor%5F7)
php javascript python go csharp java ruby 

```
<?php
use MercadoPago\Webhook\WebhookSignatureValidator;
use MercadoPago\Exceptions\InvalidWebhookSignatureException;

try {
  WebhookSignatureValidator::validate(
  $_SERVER['HTTP_X_SIGNATURE'],
  $_SERVER['HTTP_X_REQUEST_ID'],
  $_GET['data_id'],
  $secret
  );
  http_response_code(200);
} catch (InvalidWebhookSignatureException $e) {
  http_response_code(401);
}
```

Copiar 

```
import { WebhookSignatureValidator, InvalidWebhookSignatureError } from 'mercadopago';

try {
  WebhookSignatureValidator.validate({
  xSignature: req.headers['x-signature'],
  xRequestId: req.headers['x-request-id'],
  dataId: req.query['data.id'],
  secret,
  });
  res.sendStatus(200);
} catch (err) {
  if (err instanceof InvalidWebhookSignatureError) res.status(401).end();
  else throw err;
}
```

Copiar 

```
from mercadopago.webhook import WebhookSignatureValidator, InvalidWebhookSignatureError

try:
  WebhookSignatureValidator.validate(
  request.headers.get("x-signature"),
  request.headers.get("x-request-id"),
  request.args.get("data.id"),
  secret,
  )
  return "", 200
except InvalidWebhookSignatureError:
  return "", 401
```

Copiar 

```
import "github.com/mercadopago/sdk-go/pkg/webhook"

err := webhook.ValidateSignature(
  r.Header.Get("x-signature"),
  r.Header.Get("x-request-id"),
  r.URL.Query().Get("data.id"),
  secret,
)
if err != nil {
  w.WriteHeader(http.StatusUnauthorized)
  return
}
w.WriteHeader(http.StatusOK)
```

Copiar 

```
using MercadoPago.Error;
using MercadoPago.Webhook;

try {
  WebhookSignatureValidator.Validate(
  xSignature: Request.Headers["x-signature"],
  xRequestId: Request.Headers["x-request-id"],
  dataId: Request.Query["data.id"],
  secret: secret);
  return Ok();
} catch (InvalidWebhookSignatureException) {
  return Unauthorized();
}
```

Copiar 

```
import com.mercadopago.webhook.WebhookSignatureValidator;
import com.mercadopago.exceptions.MPInvalidWebhookSignatureException;

try {
  WebhookSignatureValidator.validate(
  request.getHeader("x-signature"),
  request.getHeader("x-request-id"),
  request.getParameter("data.id"),
  secret);
  response.setStatus(200);
} catch (MPInvalidWebhookSignatureException e) {
  response.setStatus(401);
}
```

Copiar 

```
require 'mercadopago/webhook/validator'

begin
  Mercadopago::Webhook::Validator.validate(
  request.headers['x-signature'],
  request.headers['x-request-id'],
  request.params['data.id'],
  secret
  )
  head :ok
rescue Mercadopago::Webhook::InvalidWebhookSignatureError
  head :unauthorized
end
```

Copiar 

::: :::TabComponent{title="Without SDKs"} If you don't use the official SDK, you can manually validate the authenticity of notifications by following these steps: 1\. To extract the \_timestamp\_ (\`ts\`) and key (\`v1\`) from the \`x-signature\` \_header\_, divide the \_header\_ content by the \`,\` character, which will result in a list of elements. The value for the \`ts\` prefix is the notification \_timestamp\_ (in milliseconds) and \`v1\` is the encrypted key. 2\. Using the \_template\_ below, substitute the parameters with the data received in your notification. \`\`\` id:\[data.id\_url\];request-id:\[x-request-id\_header\];ts:\[ts\_header\]; \`\`\` - \`\[data.id\_url\]\` will be replaced by the value of the \`data.id\` parameter received in the URL \_query params\_. - \`\[x-request-id\_header\]\` must be replaced by the value received in the \`x-request-id\` \_header\_. - \`\[ts\_header\]\` will be the \`ts\` value extracted from the \`x-signature\` \_header\_. > NOTE > > If any of the values (\`data.id\`, \`x-request-id\`) are not present in the received notification, you must remove them from the manifest before computing the \`HMAC\`. 3\. In \[Your integrations\](https://www.mercadopago.com.ar/developers/panel/app), select the integrated application, click \*\*Webhooks > Configure notification\*\* and reveal the generated secret key. 4\. Generate the counter-key for validation. To do this, compute an \[HMAC\](https://en.wikipedia.org/wiki/HMAC) with the \`SHA256 hash\` function in hexadecimal base, using the secret key as the key and the \_template\_ with the values as the message. 

* [java ](#editor%5F10)
* [node ](#editor%5F9)
* [php ](#editor%5F8)
* [python ](#editor%5F11)
php node java python 

```
$cyphedSignature = hash_hmac('sha256', $data, $key);
```

Copiar 

```
const crypto = require('crypto');
const cyphedSignature = crypto
  .createHmac('sha256', secret)
  .update(signatureTemplateParsed)
  .digest('hex');
```

Copiar 

```
String cyphedSignature = new HmacUtils("HmacSHA256", secret).hmacHex(signedTemplate);
```

Copiar 

```
import hashlib, hmac, binascii

cyphedSignature = binascii.hexlify(hmac.new(secret.encode(), signedTemplate.encode(), hashlib.sha256).digest())
```

Copiar 

5\. Finally, compare the generated key with the key extracted from the \_header\_, ensuring they match exactly. Additionally, you can use the \_timestamp\_ extracted from the \_header\_ to compare it with a \_timestamp\_ generated at the time of receipt, in order to establish a delay tolerance in receiving the message. Here are complete code examples: 

* [csharp ](#editor%5F16)
* [go ](#editor%5F15)
* [java ](#editor%5F17)
* [javascript ](#editor%5F13)
* [php ](#editor%5F12)
* [python ](#editor%5F14)
* [ruby ](#editor%5F18)
php javascript python go csharp java ruby 

```
<?php
$xSignature = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
$xRequestId = $_SERVER['HTTP_X_REQUEST_ID'] ?? '';
$dataID = strtolower($_GET['data_id'] ?? ''); // PHP converts dots in query param names to underscores

$ts = null;
$hash = null;
foreach (explode(',', $xSignature) as $part) {
  $kv = explode('=', $part, 2);
  if (count($kv) !== 2) continue;
  $key = trim($kv[0]);
  $value = trim($kv[1]);
  if ($key === 'ts') $ts = $value;
  if ($key === 'v1') $hash = $value;
}

$parts = [];
if ($dataID !== '') $parts[] = "id:{$dataID}";
if ($xRequestId !== '') $parts[] = "request-id:{$xRequestId}";
$parts[] = "ts:{$ts}";
$manifest = implode(';', $parts) . ';';

$computed = hash_hmac('sha256', $manifest, $secret);
if (!hash_equals($computed, $hash)) {
  http_response_code(401);
  exit;
}
http_response_code(200);
```

Copiar 

```
const xSignature = req.headers['x-signature'] ?? '';
const xRequestId = req.headers['x-request-id'] ?? '';
const dataId = (req.query['data.id'] ?? '').toLowerCase();

let ts, hash;
for (const part of xSignature.split(',')) {
  const eq = part.indexOf('=');
  if (eq === -1) continue;
  const key = part.slice(0, eq).trim();
  const val = part.slice(eq + 1).trim();
  if (key === 'ts') ts = val;
  if (key === 'v1') hash = val;
}

const parts = [];
if (dataId) parts.push(`id:${dataId}`);
if (xRequestId) parts.push(`request-id:${xRequestId}`);
parts.push(`ts:${ts}`);
const manifest = parts.join(';') + ';';

const computed = crypto.createHmac('sha256', secret).update(manifest).digest('hex');
if (!crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(hash))) {
  res.status(401).end();
  return;
}
res.sendStatus(200);
```

Copiar 

```
import hashlib
import hmac

x_signature = request.headers.get("x-signature", "")
x_request_id = request.headers.get("x-request-id", "")
data_id = (request.args.get("data.id", "") or "").lower()

ts = hash_value = None
for part in x_signature.split(","):
  if "=" not in part:
  continue
  key, _, value = part.partition("=")
  key = key.strip()
  value = value.strip()
  if key == "ts": ts = value
  if key == "v1": hash_value = value

parts = []
if data_id: parts.append(f"id:{data_id}")
if x_request_id: parts.append(f"request-id:{x_request_id}")
parts.append(f"ts:{ts}")
manifest = ";".join(parts) + ";"

computed = hmac.new(secret.encode(), manifest.encode(), hashlib.sha256).hexdigest()
if not hmac.compare_digest(computed, hash_value):
  return "", 401
return "", 200
```

Copiar 

```
import (
  "crypto/hmac"
  "crypto/sha256"
  "encoding/hex"
  "net/http"
  "strings"
)

xSignature := r.Header.Get("x-signature")
xRequestID := r.Header.Get("x-request-id")
dataID := strings.ToLower(r.URL.Query().Get("data.id"))

var ts, hash string
for _, part := range strings.Split(xSignature, ",") {
  kv := strings.SplitN(part, "=", 2)
  if len(kv) != 2 { continue }
  key := strings.TrimSpace(kv[0])
  val := strings.TrimSpace(kv[1])
  if key == "ts" { ts = val }
  if key == "v1" { hash = val }
}

var parts []string
if dataID != "" { parts = append(parts, "id:"+dataID) }
if xRequestID != "" { parts = append(parts, "request-id:"+xRequestID) }
parts = append(parts, "ts:"+ts)
manifest := strings.Join(parts, ";") + ";"

mac := hmac.New(sha256.New, []byte(secret))
mac.Write([]byte(manifest))
computed := hex.EncodeToString(mac.Sum(nil))

if !hmac.Equal([]byte(computed), []byte(hash)) {
  w.WriteHeader(http.StatusUnauthorized)
  return
}
w.WriteHeader(http.StatusOK)
```

Copiar 

using System.Security.Cryptography; using System.Text; var xSignature = Request.Headers\["x-signature"\].ToString(); var xRequestId = Request.Headers\["x-request-id"\].ToString(); var dataId = (Request.Query\["data.id"\].ToString() ?? "").ToLowerInvariant(); string ts = null, hash = null; foreach (var part in xSignature.Split(',')) { var eq = part.IndexOf('='); if (eq < 0) continue; var key = part\[..eq\].Trim(); var val = part\[(eq + 1)..\].Trim(); if (key == "ts") ts = val; if (key == "v1") hash = val; } var parts = new List<string>(); if (!string.IsNullOrEmpty(dataId)) parts.Add(\[\[\[ \`\`\`php <?php $xSignature = $\_SERVER\['HTTP\_X\_SIGNATURE'\] ?? ''; $xRequestId = $\_SERVER\['HTTP\_X\_REQUEST\_ID'\] ?? ''; $dataID = strtolower($\_GET\['data\_id'\] ?? ''); // PHP converts dots in query param names to underscores $ts = null; $hash = null; foreach (explode(',', $xSignature) as $part) { $kv = explode('=', $part, 2); if (count($kv) !== 2) continue; $key = trim($kv\[0\]); $value = trim($kv\[1\]); if ($key === 'ts') $ts = $value; if ($key === 'v1') $hash = $value; } $parts = \[\]; if ($dataID !== '') $parts\[\] = "id:{$dataID}"; if ($xRequestId !== '') $parts\[\] = "request-id:{$xRequestId}"; $parts\[\] = "ts:{$ts}"; $manifest = implode(';', $parts) . ';'; $computed = hash\_hmac('sha256', $manifest, $secret); if (!hash\_equals($computed, $hash)) { http\_response\_code(401); exit; } http\_response\_code(200); \`\`\` \`\`\`javascript const xSignature = req.headers\['x-signature'\] ?? ''; const xRequestId = req.headers\['x-request-id'\] ?? ''; const dataId = (req.query\['data.id'\] ?? '').toLowerCase(); let ts, hash; for (const part of xSignature.split(',')) { const eq = part.indexOf('='); if (eq === -1) continue; const key = part.slice(0, eq).trim(); const val = part.slice(eq + 1).trim(); if (key === 'ts') ts = val; if (key === 'v1') hash = val; } const parts = \[\]; if (dataId) parts.push(\`id:${dataId}\`); if (xRequestId) parts.push(\`request-id:${xRequestId}\`); parts.push(\`ts:${ts}\`); const manifest = parts.join(';') + ';'; const computed = crypto.createHmac('sha256', secret).update(manifest).digest('hex'); if (!crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(hash))) { res.status(401).end(); return; } res.sendStatus(200); \`\`\` \`\`\`python import hashlib import hmac x\_signature = request.headers.get("x-signature", "") x\_request\_id = request.headers.get("x-request-id", "") data\_id = (request.args.get("data.id", "") or "").lower() ts = hash\_value = None for part in x\_signature.split(","): if "=" not in part: continue key, \_, value = part.partition("=") key = key.strip() value = value.strip() if key == "ts": ts = value if key == "v1": hash\_value = value parts = \[\] if data\_id: parts.append(f"id:{data\_id}") if x\_request\_id: parts.append(f"request-id:{x\_request\_id}") parts.append(f"ts:{ts}") manifest = ";".join(parts) + ";" computed = hmac.new(secret.encode(), manifest.encode(), hashlib.sha256).hexdigest() if not hmac.compare\_digest(computed, hash\_value): return "", 401 return "", 200 \`\`\` \`\`\`go import ( "crypto/hmac" "crypto/sha256" "encoding/hex" "net/http" "strings" ) xSignature := r.Header.Get("x-signature") xRequestID := r.Header.Get("x-request-id") dataID := strings.ToLower(r.URL.Query().Get("data.id")) var ts, hash string for \_, part := range strings.Split(xSignature, ",") { kv := strings.SplitN(part, "=", 2) if len(kv) != 2 { continue } key := strings.TrimSpace(kv\[0\]) val := strings.TrimSpace(kv\[1\]) if key == "ts" { ts = val } if key == "v1" { hash = val } } var parts \[\]string if dataID != "" { parts = append(parts, "id:"+dataID) } if xRequestID != "" { parts = append(parts, "request-id:"+xRequestID) } parts = append(parts, "ts:"+ts) manifest := strings.Join(parts, ";") + ";" mac := hmac.New(sha256.New, \[\]byte(secret)) mac.Write(\[\]byte(manifest)) computed := hex.EncodeToString(mac.Sum(nil)) if !hmac.Equal(\[\]byte(computed), \[\]byte(hash)) { w.WriteHeader(http.StatusUnauthorized) return } w.WriteHeader(http.StatusOK) \`\`\` \`\`\`csharp using System.Security.Cryptography; using System.Text; var xSignature = Request.Headers\["x-signature"\].ToString(); var xRequestId = Request.Headers\["x-request-id"\].ToString(); var dataId = (Request.Query\["data.id"\].ToString() ?? "").ToLowerInvariant(); string ts = null, hash = null; foreach (var part in xSignature.Split(',')) { var eq = part.IndexOf('='); if (eq < 0) continue; var key = part\[..eq\].Trim(); var val = part\[(eq + 1)..\].Trim(); if (key == "ts") ts = val; if (key == "v1") hash = val; } var parts = new List(); if (!string.IsNullOrEmpty(dataId)) parts.Add($"id:{dataId}"); if (!string.IsNullOrEmpty(xRequestId)) parts.Add($"request-id:{xRequestId}"); parts.Add($"ts:{ts}"); var manifest = string.Join(";", parts) + ";"; using var hmacSha = new HMACSHA256(Encoding.UTF8.GetBytes(secret)); var computed = BitConverter .ToString(hmacSha.ComputeHash(Encoding.UTF8.GetBytes(manifest))) .Replace("-", "").ToLowerInvariant(); if (!CryptographicOperations.FixedTimeEquals( Encoding.UTF8.GetBytes(computed), Encoding.UTF8.GetBytes(hash))) { return Unauthorized(); } return Ok(); \`\`\` \`\`\`java import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.util.ArrayList; import java.util.List; String xSignature = request.getHeader("x-signature") != null ? request.getHeader("x-signature") : ""; String xRequestId = request.getHeader("x-request-id") != null ? request.getHeader("x-request-id") : ""; String dataId = request.getParameter("data.id") != null ? request.getParameter("data.id").toLowerCase() : ""; String ts = null, hash = null; for (String part : xSignature.split(",")) { String\[\] kv = part.split("=", 2); if (kv.length != 2) continue; String key = kv\[0\].trim(); String val = kv\[1\].trim(); if ("ts".equals(key)) ts = val; if ("v1".equals(key)) hash = val; } List parts = new ArrayList<>(); if (!dataId.isEmpty()) parts.add("id:" + dataId); if (!xRequestId.isEmpty()) parts.add("request-id:" + xRequestId); parts.add("ts:" + ts); String manifest = String.join(";", parts) + ";"; Mac mac = Mac.getInstance("HmacSHA256"); mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF\_8), "HmacSHA256")); byte\[\] bytes = mac.doFinal(manifest.getBytes(StandardCharsets.UTF\_8)); StringBuilder sb = new StringBuilder(); for (byte b : bytes) sb.append(String.format("%02x", b & 0xff)); String computed = sb.toString(); if (!MessageDigest.isEqual( computed.getBytes(StandardCharsets.UTF\_8), hash.getBytes(StandardCharsets.UTF\_8))) { response.setStatus(401); return; } response.setStatus(200); \`\`\` \`\`\`ruby require 'openssl' x\_signature = request.headers\['x-signature'\] || '' x\_request\_id = request.headers\['x-request-id'\] || '' data\_id = (params\['data.id'\] || '').downcase ts = hash\_value = nil x\_signature.split(',').each do |part| key, value = part.split('=', 2) next unless key && value ts = value.strip if key.strip == 'ts' hash\_value = value.strip if key.strip == 'v1' end parts = \[\] parts << "id:#{data\_id}" unless data\_id.empty? parts << "request-id:#{x\_request\_id}" unless x\_request\_id.empty? parts << "ts:#{ts}" manifest = "#{parts.join(';')};" computed = OpenSSL::HMAC.hexdigest('SHA256', secret, manifest) unless OpenSSL.fixed\_length\_secure\_compare(computed, hash\_value) head :unauthorized return end head :ok \`\`\` \]\]\]quot;id:{dataId}"); if (!string.IsNullOrEmpty(xRequestId)) parts.Add(\[\[\[ \`\`\`php <?php $xSignature = $\_SERVER\['HTTP\_X\_SIGNATURE'\] ?? ''; $xRequestId = $\_SERVER\['HTTP\_X\_REQUEST\_ID'\] ?? ''; $dataID = strtolower($\_GET\['data\_id'\] ?? ''); // PHP converts dots in query param names to underscores $ts = null; $hash = null; foreach (explode(',', $xSignature) as $part) { $kv = explode('=', $part, 2); if (count($kv) !== 2) continue; $key = trim($kv\[0\]); $value = trim($kv\[1\]); if ($key === 'ts') $ts = $value; if ($key === 'v1') $hash = $value; } $parts = \[\]; if ($dataID !== '') $parts\[\] = "id:{$dataID}"; if ($xRequestId !== '') $parts\[\] = "request-id:{$xRequestId}"; $parts\[\] = "ts:{$ts}"; $manifest = implode(';', $parts) . ';'; $computed = hash\_hmac('sha256', $manifest, $secret); if (!hash\_equals($computed, $hash)) { http\_response\_code(401); exit; } http\_response\_code(200); \`\`\` \`\`\`javascript const xSignature = req.headers\['x-signature'\] ?? ''; const xRequestId = req.headers\['x-request-id'\] ?? ''; const dataId = (req.query\['data.id'\] ?? '').toLowerCase(); let ts, hash; for (const part of xSignature.split(',')) { const eq = part.indexOf('='); if (eq === -1) continue; const key = part.slice(0, eq).trim(); const val = part.slice(eq + 1).trim(); if (key === 'ts') ts = val; if (key === 'v1') hash = val; } const parts = \[\]; if (dataId) parts.push(\`id:${dataId}\`); if (xRequestId) parts.push(\`request-id:${xRequestId}\`); parts.push(\`ts:${ts}\`); const manifest = parts.join(';') + ';'; const computed = crypto.createHmac('sha256', secret).update(manifest).digest('hex'); if (!crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(hash))) { res.status(401).end(); return; } res.sendStatus(200); \`\`\` \`\`\`python import hashlib import hmac x\_signature = request.headers.get("x-signature", "") x\_request\_id = request.headers.get("x-request-id", "") data\_id = (request.args.get("data.id", "") or "").lower() ts = hash\_value = None for part in x\_signature.split(","): if "=" not in part: continue key, \_, value = part.partition("=") key = key.strip() value = value.strip() if key == "ts": ts = value if key == "v1": hash\_value = value parts = \[\] if data\_id: parts.append(f"id:{data\_id}") if x\_request\_id: parts.append(f"request-id:{x\_request\_id}") parts.append(f"ts:{ts}") manifest = ";".join(parts) + ";" computed = hmac.new(secret.encode(), manifest.encode(), hashlib.sha256).hexdigest() if not hmac.compare\_digest(computed, hash\_value): return "", 401 return "", 200 \`\`\` \`\`\`go import ( "crypto/hmac" "crypto/sha256" "encoding/hex" "net/http" "strings" ) xSignature := r.Header.Get("x-signature") xRequestID := r.Header.Get("x-request-id") dataID := strings.ToLower(r.URL.Query().Get("data.id")) var ts, hash string for \_, part := range strings.Split(xSignature, ",") { kv := strings.SplitN(part, "=", 2) if len(kv) != 2 { continue } key := strings.TrimSpace(kv\[0\]) val := strings.TrimSpace(kv\[1\]) if key == "ts" { ts = val } if key == "v1" { hash = val } } var parts \[\]string if dataID != "" { parts = append(parts, "id:"+dataID) } if xRequestID != "" { parts = append(parts, "request-id:"+xRequestID) } parts = append(parts, "ts:"+ts) manifest := strings.Join(parts, ";") + ";" mac := hmac.New(sha256.New, \[\]byte(secret)) mac.Write(\[\]byte(manifest)) computed := hex.EncodeToString(mac.Sum(nil)) if !hmac.Equal(\[\]byte(computed), \[\]byte(hash)) { w.WriteHeader(http.StatusUnauthorized) return } w.WriteHeader(http.StatusOK) \`\`\` \`\`\`csharp using System.Security.Cryptography; using System.Text; var xSignature = Request.Headers\["x-signature"\].ToString(); var xRequestId = Request.Headers\["x-request-id"\].ToString(); var dataId = (Request.Query\["data.id"\].ToString() ?? "").ToLowerInvariant(); string ts = null, hash = null; foreach (var part in xSignature.Split(',')) { var eq = part.IndexOf('='); if (eq < 0) continue; var key = part\[..eq\].Trim(); var val = part\[(eq + 1)..\].Trim(); if (key == "ts") ts = val; if (key == "v1") hash = val; } var parts = new List(); if (!string.IsNullOrEmpty(dataId)) parts.Add($"id:{dataId}"); if (!string.IsNullOrEmpty(xRequestId)) parts.Add($"request-id:{xRequestId}"); parts.Add($"ts:{ts}"); var manifest = string.Join(";", parts) + ";"; using var hmacSha = new HMACSHA256(Encoding.UTF8.GetBytes(secret)); var computed = BitConverter .ToString(hmacSha.ComputeHash(Encoding.UTF8.GetBytes(manifest))) .Replace("-", "").ToLowerInvariant(); if (!CryptographicOperations.FixedTimeEquals( Encoding.UTF8.GetBytes(computed), Encoding.UTF8.GetBytes(hash))) { return Unauthorized(); } return Ok(); \`\`\` \`\`\`java import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.util.ArrayList; import java.util.List; String xSignature = request.getHeader("x-signature") != null ? request.getHeader("x-signature") : ""; String xRequestId = request.getHeader("x-request-id") != null ? request.getHeader("x-request-id") : ""; String dataId = request.getParameter("data.id") != null ? request.getParameter("data.id").toLowerCase() : ""; String ts = null, hash = null; for (String part : xSignature.split(",")) { String\[\] kv = part.split("=", 2); if (kv.length != 2) continue; String key = kv\[0\].trim(); String val = kv\[1\].trim(); if ("ts".equals(key)) ts = val; if ("v1".equals(key)) hash = val; } List parts = new ArrayList<>(); if (!dataId.isEmpty()) parts.add("id:" + dataId); if (!xRequestId.isEmpty()) parts.add("request-id:" + xRequestId); parts.add("ts:" + ts); String manifest = String.join(";", parts) + ";"; Mac mac = Mac.getInstance("HmacSHA256"); mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF\_8), "HmacSHA256")); byte\[\] bytes = mac.doFinal(manifest.getBytes(StandardCharsets.UTF\_8)); StringBuilder sb = new StringBuilder(); for (byte b : bytes) sb.append(String.format("%02x", b & 0xff)); String computed = sb.toString(); if (!MessageDigest.isEqual( computed.getBytes(StandardCharsets.UTF\_8), hash.getBytes(StandardCharsets.UTF\_8))) { response.setStatus(401); return; } response.setStatus(200); \`\`\` \`\`\`ruby require 'openssl' x\_signature = request.headers\['x-signature'\] || '' x\_request\_id = request.headers\['x-request-id'\] || '' data\_id = (params\['data.id'\] || '').downcase ts = hash\_value = nil x\_signature.split(',').each do |part| key, value = part.split('=', 2) next unless key && value ts = value.strip if key.strip == 'ts' hash\_value = value.strip if key.strip == 'v1' end parts = \[\] parts << "id:#{data\_id}" unless data\_id.empty? parts << "request-id:#{x\_request\_id}" unless x\_request\_id.empty? parts << "ts:#{ts}" manifest = "#{parts.join(';')};" computed = OpenSSL::HMAC.hexdigest('SHA256', secret, manifest) unless OpenSSL.fixed\_length\_secure\_compare(computed, hash\_value) head :unauthorized return end head :ok \`\`\` \]\]\]quot;request-id:{xRequestId}"); parts.Add(\[\[\[ \`\`\`php <?php $xSignature = $\_SERVER\['HTTP\_X\_SIGNATURE'\] ?? ''; $xRequestId = $\_SERVER\['HTTP\_X\_REQUEST\_ID'\] ?? ''; $dataID = strtolower($\_GET\['data\_id'\] ?? ''); // PHP converts dots in query param names to underscores $ts = null; $hash = null; foreach (explode(',', $xSignature) as $part) { $kv = explode('=', $part, 2); if (count($kv) !== 2) continue; $key = trim($kv\[0\]); $value = trim($kv\[1\]); if ($key === 'ts') $ts = $value; if ($key === 'v1') $hash = $value; } $parts = \[\]; if ($dataID !== '') $parts\[\] = "id:{$dataID}"; if ($xRequestId !== '') $parts\[\] = "request-id:{$xRequestId}"; $parts\[\] = "ts:{$ts}"; $manifest = implode(';', $parts) . ';'; $computed = hash\_hmac('sha256', $manifest, $secret); if (!hash\_equals($computed, $hash)) { http\_response\_code(401); exit; } http\_response\_code(200); \`\`\` \`\`\`javascript const xSignature = req.headers\['x-signature'\] ?? ''; const xRequestId = req.headers\['x-request-id'\] ?? ''; const dataId = (req.query\['data.id'\] ?? '').toLowerCase(); let ts, hash; for (const part of xSignature.split(',')) { const eq = part.indexOf('='); if (eq === -1) continue; const key = part.slice(0, eq).trim(); const val = part.slice(eq + 1).trim(); if (key === 'ts') ts = val; if (key === 'v1') hash = val; } const parts = \[\]; if (dataId) parts.push(\`id:${dataId}\`); if (xRequestId) parts.push(\`request-id:${xRequestId}\`); parts.push(\`ts:${ts}\`); const manifest = parts.join(';') + ';'; const computed = crypto.createHmac('sha256', secret).update(manifest).digest('hex'); if (!crypto.timingSafeEqual(Buffer.from(computed), Buffer.from(hash))) { res.status(401).end(); return; } res.sendStatus(200); \`\`\` \`\`\`python import hashlib import hmac x\_signature = request.headers.get("x-signature", "") x\_request\_id = request.headers.get("x-request-id", "") data\_id = (request.args.get("data.id", "") or "").lower() ts = hash\_value = None for part in x\_signature.split(","): if "=" not in part: continue key, \_, value = part.partition("=") key = key.strip() value = value.strip() if key == "ts": ts = value if key == "v1": hash\_value = value parts = \[\] if data\_id: parts.append(f"id:{data\_id}") if x\_request\_id: parts.append(f"request-id:{x\_request\_id}") parts.append(f"ts:{ts}") manifest = ";".join(parts) + ";" computed = hmac.new(secret.encode(), manifest.encode(), hashlib.sha256).hexdigest() if not hmac.compare\_digest(computed, hash\_value): return "", 401 return "", 200 \`\`\` \`\`\`go import ( "crypto/hmac" "crypto/sha256" "encoding/hex" "net/http" "strings" ) xSignature := r.Header.Get("x-signature") xRequestID := r.Header.Get("x-request-id") dataID := strings.ToLower(r.URL.Query().Get("data.id")) var ts, hash string for \_, part := range strings.Split(xSignature, ",") { kv := strings.SplitN(part, "=", 2) if len(kv) != 2 { continue } key := strings.TrimSpace(kv\[0\]) val := strings.TrimSpace(kv\[1\]) if key == "ts" { ts = val } if key == "v1" { hash = val } } var parts \[\]string if dataID != "" { parts = append(parts, "id:"+dataID) } if xRequestID != "" { parts = append(parts, "request-id:"+xRequestID) } parts = append(parts, "ts:"+ts) manifest := strings.Join(parts, ";") + ";" mac := hmac.New(sha256.New, \[\]byte(secret)) mac.Write(\[\]byte(manifest)) computed := hex.EncodeToString(mac.Sum(nil)) if !hmac.Equal(\[\]byte(computed), \[\]byte(hash)) { w.WriteHeader(http.StatusUnauthorized) return } w.WriteHeader(http.StatusOK) \`\`\` \`\`\`csharp using System.Security.Cryptography; using System.Text; var xSignature = Request.Headers\["x-signature"\].ToString(); var xRequestId = Request.Headers\["x-request-id"\].ToString(); var dataId = (Request.Query\["data.id"\].ToString() ?? "").ToLowerInvariant(); string ts = null, hash = null; foreach (var part in xSignature.Split(',')) { var eq = part.IndexOf('='); if (eq < 0) continue; var key = part\[..eq\].Trim(); var val = part\[(eq + 1)..\].Trim(); if (key == "ts") ts = val; if (key == "v1") hash = val; } var parts = new List(); if (!string.IsNullOrEmpty(dataId)) parts.Add($"id:{dataId}"); if (!string.IsNullOrEmpty(xRequestId)) parts.Add($"request-id:{xRequestId}"); parts.Add($"ts:{ts}"); var manifest = string.Join(";", parts) + ";"; using var hmacSha = new HMACSHA256(Encoding.UTF8.GetBytes(secret)); var computed = BitConverter .ToString(hmacSha.ComputeHash(Encoding.UTF8.GetBytes(manifest))) .Replace("-", "").ToLowerInvariant(); if (!CryptographicOperations.FixedTimeEquals( Encoding.UTF8.GetBytes(computed), Encoding.UTF8.GetBytes(hash))) { return Unauthorized(); } return Ok(); \`\`\` \`\`\`java import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.util.ArrayList; import java.util.List; String xSignature = request.getHeader("x-signature") != null ? request.getHeader("x-signature") : ""; String xRequestId = request.getHeader("x-request-id") != null ? request.getHeader("x-request-id") : ""; String dataId = request.getParameter("data.id") != null ? request.getParameter("data.id").toLowerCase() : ""; String ts = null, hash = null; for (String part : xSignature.split(",")) { String\[\] kv = part.split("=", 2); if (kv.length != 2) continue; String key = kv\[0\].trim(); String val = kv\[1\].trim(); if ("ts".equals(key)) ts = val; if ("v1".equals(key)) hash = val; } List parts = new ArrayList<>(); if (!dataId.isEmpty()) parts.add("id:" + dataId); if (!xRequestId.isEmpty()) parts.add("request-id:" + xRequestId); parts.add("ts:" + ts); String manifest = String.join(";", parts) + ";"; Mac mac = Mac.getInstance("HmacSHA256"); mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF\_8), "HmacSHA256")); byte\[\] bytes = mac.doFinal(manifest.getBytes(StandardCharsets.UTF\_8)); StringBuilder sb = new StringBuilder(); for (byte b : bytes) sb.append(String.format("%02x", b & 0xff)); String computed = sb.toString(); if (!MessageDigest.isEqual( computed.getBytes(StandardCharsets.UTF\_8), hash.getBytes(StandardCharsets.UTF\_8))) { response.setStatus(401); return; } response.setStatus(200); \`\`\` \`\`\`ruby require 'openssl' x\_signature = request.headers\['x-signature'\] || '' x\_request\_id = request.headers\['x-request-id'\] || '' data\_id = (params\['data.id'\] || '').downcase ts = hash\_value = nil x\_signature.split(',').each do |part| key, value = part.split('=', 2) next unless key && value ts = value.strip if key.strip == 'ts' hash\_value = value.strip if key.strip == 'v1' end parts = \[\] parts << "id:#{data\_id}" unless data\_id.empty? parts << "request-id:#{x\_request\_id}" unless x\_request\_id.empty? parts << "ts:#{ts}" manifest = "#{parts.join(';')};" computed = OpenSSL::HMAC.hexdigest('SHA256', secret, manifest) unless OpenSSL.fixed\_length\_secure\_compare(computed, hash\_value) head :unauthorized return end head :ok \`\`\` \]\]\]quot;ts:{ts}"); var manifest = string.Join(";", parts) + ";"; using var hmacSha = new HMACSHA256(Encoding.UTF8.GetBytes(secret)); var computed = BitConverter .ToString(hmacSha.ComputeHash(Encoding.UTF8.GetBytes(manifest))) .Replace("-", "").ToLowerInvariant(); if (!CryptographicOperations.FixedTimeEquals( Encoding.UTF8.GetBytes(computed), Encoding.UTF8.GetBytes(hash))) { return Unauthorized(); } return Ok(); Copiar 

```
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.ArrayList;
import java.util.List;

String xSignature = request.getHeader("x-signature") != null ? request.getHeader("x-signature") : "";
String xRequestId = request.getHeader("x-request-id") != null ? request.getHeader("x-request-id") : "";
String dataId = request.getParameter("data.id") != null
  ? request.getParameter("data.id").toLowerCase() : "";

String ts = null, hash = null;
for (String part : xSignature.split(",")) {
  String[] kv = part.split("=", 2);
  if (kv.length != 2) continue;
  String key = kv[0].trim();
  String val = kv[1].trim();
  if ("ts".equals(key)) ts = val;
  if ("v1".equals(key)) hash = val;
}

List<String> parts = new ArrayList<>();
if (!dataId.isEmpty()) parts.add("id:" + dataId);
if (!xRequestId.isEmpty()) parts.add("request-id:" + xRequestId);
parts.add("ts:" + ts);
String manifest = String.join(";", parts) + ";";

Mac mac = Mac.getInstance("HmacSHA256");
mac.init(new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
byte[] bytes = mac.doFinal(manifest.getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (byte b : bytes) sb.append(String.format("%02x", b & 0xff));
String computed = sb.toString();

if (!MessageDigest.isEqual(
  computed.getBytes(StandardCharsets.UTF_8),
  hash.getBytes(StandardCharsets.UTF_8)))
{
  response.setStatus(401);
  return;
}
response.setStatus(200);
```

Copiar 

```
require 'openssl'

x_signature = request.headers['x-signature'] || ''
x_request_id = request.headers['x-request-id'] || ''
data_id = (params['data.id'] || '').downcase

ts = hash_value = nil
x_signature.split(',').each do |part|
  key, value = part.split('=', 2)
  next unless key && value
  ts = value.strip if key.strip == 'ts'
  hash_value = value.strip if key.strip == 'v1'
end

parts = []
parts << "id:#{data_id}" unless data_id.empty?
parts << "request-id:#{x_request_id}" unless x_request_id.empty?
parts << "ts:#{ts}"
manifest = "#{parts.join(';')};"

computed = OpenSSL::HMAC.hexdigest('SHA256', secret, manifest)
unless OpenSSL.fixed_length_secure_compare(computed, hash_value)
  head :unauthorized
  return
end
head :ok
```

Copiar 

::: :::: ## Actions needed after receiving the notification When you receive a notification on your platform, Mercado Pago expects a response to validate that the receipt was correct. To do so, return an \`HTTP STATUS 200\` or \`201\` within 22 seconds of receipt. We recommend that you first respond with a \`200\` or \`201\`, and then process the notification on the server, to avoid duplicate notifications. If this response is not sent, the system will make new delivery attempts every 15 minutes. After the first failures, the interval progressively increases, but deliveries continue until the notification is confirmed.