At Evidos we are constantly striving to improve the security of our platform.
The Signhost postback service is meant to provide realtime updates on your transactions to your server.
We have two methods to secure postbacks:
The Digest method, as documented here: https://evidos.github.io/postback/
Postback security headers (added 24 Feb 2021)
These two methods can be used at the same time.
We have two methods to specify the Postback Url
The variable method, by sending us a Postback Url for each transaction when creating the transaction in the API with a POST call. This method supports only digest security.
The static method, by specifying the Postback Url(s) in our Portal for your applicaton. This method supports both Digest security, and security headers.
Please note that we will move to a variable IP, we advise you to not rely on IPwhitelisting as this may prevent us from delivering postbacks to your system.
This article explaines the Security header method in more detail.
Postback security headers
This security measure can be used by specifying one or more static postback Urls in our web portal. To manage this we've added a new page.
In our web portal a portal administrator can access the Push notifications menu. Click the button to go there directly. We will link this page from the regular portal menu at a later date.
On this page you can:
Add postback Urls
Delete postback Urls
See the postback Url status, such as:
If it uses a security header or not
If there are any postbacks queueing because of a server error in your application. The status then changes to failing.
Adding a Postback Url
When you add a new Postback Url, please remember to enter the whole link, with https://
Optionally, you can add an Authorization Header as well. This header will be used in every POST to your server endpoint, and can be used to validate if the Postback was sent by us before you have to apply further business logic.
You can enter any string, we advise you however to choose a secure and securely generated header.
Please note, you will first receive an empty postback after creating the postback URL.
Checks and statuses
On creating the Postback Url, we will check if your endpoint is http compliant. For this we will send a:
We will expect a valid response for these requests. The Post has to deliver back a status 2xx. The other requests can give back any valid http response.
Without a response the Postback Url cannot be created and a warning is shown.
By checking this Url we will make sure that your endpoint will handle all postbacks.
If we do not receive a valid response when your Url is operational, we will queue to prevent data loss. Read more about our queuing policy on the bottom of this page.
What will you receive
With each postback, we send an Authorization header. In this example, 123456789 is specified in the portal.
What happens to the current postback Url mechanism?
Please note that when you use this new header security method, the method of specifying the Postback Url remains the same.
When a Postback Url is entered by you in the Evidos web portal, we will always use this Url.
When you specify a Postback Url in your API POST Request, we will use that Url additionaly.
Both methods function independently of eachother. As a reminder, only by specifying a Postback Url in the portal, you are able to use the Header security.